WO2013151797A1 - Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements - Google Patents

Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements Download PDF

Info

Publication number
WO2013151797A1
WO2013151797A1 PCT/US2013/033322 US2013033322W WO2013151797A1 WO 2013151797 A1 WO2013151797 A1 WO 2013151797A1 US 2013033322 W US2013033322 W US 2013033322W WO 2013151797 A1 WO2013151797 A1 WO 2013151797A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
payment
mobile
single use
mobile device
Prior art date
Application number
PCT/US2013/033322
Other languages
French (fr)
Inventor
Mehdi Collinge
Susan Thompson
Patrik Smets
David Anthony Roberts
Michael Christopher Ward
Original Assignee
Mastercard International Incorporated
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mastercard International Incorporated filed Critical Mastercard International Incorporated
Priority to EP13772978.6A priority Critical patent/EP2835004B1/en
Priority to EP19203530.1A priority patent/EP3614712A1/en
Priority to AU2013243805A priority patent/AU2013243805B2/en
Priority to ES13772978T priority patent/ES2761345T3/en
Publication of WO2013151797A1 publication Critical patent/WO2013151797A1/en
Priority to HK15107229.1A priority patent/HK1206900A1/en
Priority to AU2017216488A priority patent/AU2017216488B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3823Payment protocols; Details thereof insuring higher security of transaction combining multiple encryption tools for a transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices
    • G06Q20/3265Payment applications installed on the mobile devices characterised by personalisation for use
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/34Payment architectures, schemes or protocols characterised by the use of specific devices or networks using cards, e.g. integrated circuit [IC] cards or magnetic cards
    • G06Q20/355Personalisation of cards for use
    • G06Q20/3552Downloading or loading of personalisation data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/385Payment protocols; Details thereof using an alias or single-use codes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4012Verifying personal identification numbers [PIN]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning

Definitions

  • the present disclosure relates to provisioning of payment credentials to a mobile device lacking a secure element, specifically the provisioning and storage of payment credentials for use in conducting a near field financial transaction using a mobile device lacking a secure element.
  • NFC near field communication
  • mobile phones with secure element hardware e.g., a Secure Element chip
  • payment account credentials such as credit card credentials.
  • issuers may not have access to a secure element on a mobile device, even if the mobile device has one available.
  • a consumer who has a NFC-capable mobile device may not be able to use their device to conduct payment transactions if their mobile device lacks a secure element, and even in some cases where their mobile device has a secure element.
  • the present disclosure provides a description of a systems and methods for the provisioning of payment credentials to mobile devices lacking secure elements for use in mobile payment transactions.
  • a method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating, by a
  • a card profile associated with a payment account wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile
  • the mobile PIN the mobile PIN
  • a method for generating a payment cryptogram in a mobile device lacking a secure element includes: receiving, by a receiving device, a card profile, wherein the card profile includes at least payment credentials corresponding to a payment account and a profile identifier; receiving, by an input device, a mobile personal identification number (PIN) input by a user of the mobile device; transmitting, by a transmitting device, a key request, wherein the key request includes at least the profile identifier; receiving, by the receiving device, a single use key, wherein the single use key includes at least an application transaction counter and a generating key; generating, by a processing device, a payment cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN; and transmitting, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
  • PIN mobile personal identification number
  • Another method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: storing, in a database, at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program; provisioning, to the mobile device, at least the storage key, an authentication component, and static payment credentials, wherein the static payment credentials are associated with a payment account;
  • CAP chip authentication program
  • KSUN session key unpredictable number
  • UNCLOUD cloud unpredictable number
  • KD C vc3 derived dynamic card validation code key
  • a method for generating a dynamic card validation code in a mobile device lacking a secure element includes: receiving, by a receiving device, at least a storage key, an authentication component, and static payment credentials; receiving, by an input device, at least one additional credential; generating, by a processing device, a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential; transmitting, by a transmitting device, the generated CAP token; receiving, by the receiving device, an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter; decrypting, by the processing device, the encrypted payload using at least the received storage key;
  • CAP chip authentication program
  • a system for generating and provisioning payment credentials to a mobile device lacking a secure element includes a transmitting device, a processing device, a provisioning device, a receiving device, and an authentication device.
  • the processing device is configured to generate a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier.
  • the provisioning device is configured to provision, to a mobile device lacking a secure element, the generated card profile.
  • the receiving device is configured to receive, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier.
  • PIN mobile identification number
  • the authentication device is configured to use the mobile PIN.
  • the processing device is further configured to generate a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction.
  • the transmitting device is configured to transmit the generated single use key to the mobile device.
  • a system for generating a payment cryptogram in a mobile device lacking a secure element includes a processing device, a receiving device, an input device, and a transmitting device.
  • the receiving device is
  • the input device is configured to receive a mobile personal identification number (PIN) input by a user of the mobile device.
  • the transmitting device is configured to transmit a key request, wherein the key request includes at least the profile identifier.
  • the receiving device is further configured to receive a single use key, wherein the single use key includes at least an application transaction counter and a generating key.
  • the processing device is configured to generate a payment cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN.
  • the transmitting device is further configured to transmit, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
  • credentials to a mobile device lacking a secure element includes a database, a provisioning device, a receiving device, a processing device, and a transmitting device.
  • the database is configured to store at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program.
  • the provisioning device is configured to provision, to the mobile device, at least the storage key, an authentication component, and static payment
  • the receiving device is configured to receive, from a mobile device, a chip authentication program (CAP) token.
  • the processing device is configured to: validate the authenticity of the received CAP token; generate a session key unpredictable number (KSUN); generate a cloud unpredictable number (UNCLOUD); and identify an encrypted payload based on a derived dynamic card validation code key (KD C vc3), wherein the encrypted payload includes at least a dynamic card validation code key of the plurality of dynamic card validation code keys, the KSUN, and the application transaction counter.
  • CAP chip authentication program
  • the transmitting device is configured to: transmit the encrypted payload to the mobile device for use in generating a dynamic card validation code for use in a financial transaction; and transmit at least the KSUN, UNCLOUD, and application transaction counter to an issuer associated with the payment account for use in validating the generated dynamic card validation code used in the financial transaction.
  • a system for generating a dynamic card validation code in a mobile device lacking a secure element includes a receiving device, an input device, a processing device, and a transmitting device.
  • the receiving device is configured to receive at least a storage key, an authentication component, and static payment credentials.
  • the input device is configured to receive at least one additional credential.
  • the processing device is configured to generate a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential.
  • the transmitting device is configured to transmit the generated CAP token.
  • the receiving device is further configured to receive an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter.
  • the processing device is further configured to decrypt the encrypted payload using at least the received storage key.
  • the receiving device is further configured to receive, via near field communication, a reader unpredictable number from a point-of-sale terminal.
  • the processing device is further configured to generate a payment dynamic card validation code based on at least the supplied dynamic card validation code, the session key unpredictable number, the application transaction counter, and the reader unpredictable number.
  • the transmitting device is further configured to transmit, via near field communication, the generated payment dynamic card validation code and the application transaction counter to the point-of-sale terminal for including in an
  • FIG. 1 is a high level diagram illustrating a system for generating and provisioning payment credentials to a mobile device in accordance with exemplary embodiments.
  • FIG. 2 is a block diagram illustrating the payment token payload of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 3 is a high level diagram illustrating an alternative system for provisioning payment credentials to a mobile device in accordance with exemplary embodiments.
  • FIG. 4 is a diagram illustrating a method for dual channel communication for use in the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 5 is a flow chart illustrating the experience of a user of the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 6 is a high level diagram illustrating methods for provisioning payment credentials to a mobile device and generating a payment cryptogram in accordance with exemplary embodiments.
  • FIG. 7 is a high level diagram illustrating methods for provisioning payment credentials to a mobile device and generating a dynamic card validation code in accordance with exemplary embodiments.
  • FIG. 8 is a flow diagram illustrating a method for registration of a mobile device for use in the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 9 is a flow diagram illustrating a method for the initialization of a mobile application program on the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 10 is a flow diagram illustrating a method for remote management of the mobile application program of the mobile device in accordance with exemplary embodiments.
  • FIG. 1 1 is a flow diagram illustrating a method for the delivery of a card profile to the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 12 is a flow diagram illustrating a method for the delivery of a single use key to the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 13 is a flow diagram illustrating a method for managing the mobile application program following the update of a mobile personal identification number of the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 14 is a flow diagram illustrating a method for conducting a payment transaction using the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
  • FIG. 15 is a flow chart illustrating an exemplary method for generating and provisioning payment credentials to a mobile device lacking a secure element in accordance with exemplary embodiments.
  • FIG. 16 is a flow chart illustrating an exemplary method for generating a payment cryptogram in a mobile device lacking a secure element in accordance with exemplary embodiments.
  • FIG. 17 is a flow chart illustrating an alternative method for generating and provisioning payment credentials to a mobile device lacking a secure element in accordance with exemplary embodiments.
  • FIG. 18 is a flow chart illustrating an exemplary method for generating a dynamic card validation code in a mobile device lacking a secure element in accordance with exemplary embodiments.
  • FIG. 19 is a block diagram illustrating a computer system
  • Payment Network A system or network used for the transfer of money via the use of cash-substitutes. Payment networks may use a variety of different protocols and procedures in order to process the transfer of money for various types of transactions. Transactions that may be performed via a payment network may include product or service purchases, credit purchases, debit transactions, fund transfers, account withdrawals, etc. Payment networks may be configured to perform transactions via cash- substitutes, which may include payment cards, letters of credit, checks, financial accounts, etc. Examples of networks or systems configured to perform as payment networks include those operated by MasterCard ® , VISA ® , Discover ® , American Express ® , etc.
  • Payment Account A financial account that may be used to fund a transaction, such as a checking account, savings account, credit account, virtual payment account, etc.
  • a payment account may be associated with an entity, which may include a person, family, company, corporation,
  • a payment account may be virtual, such as those accounts operated by PayPal ® , etc.
  • Payment Card A card or data associated with a payment account that may be provided to a merchant in order to fund a financial transaction via the associated payment account.
  • Payment cards may include credit cards, debit cards, charge cards, stored-value cards, prepaid cards, fleet cards, virtual payment numbers, virtual card numbers, controlled payment numbers, etc.
  • a payment card may be a physical card that may be provided to a merchant, or may be data representing the associated payment account (e.g., as stored in a communication device, such as a smart phone or computer).
  • data including a payment account number may be considered a payment card for the processing of a transaction funded by the associated payment account.
  • a check may be considered a payment card where applicable.
  • FIG. 1 is a diagram illustrating a system 100 for the generating and provisioning of payment credentials to a mobile device lacking a secure element.
  • the system 100 may include a user 102.
  • the user 102 may possess a mobile device 104.
  • the mobile device 104 may be any type of mobile computing device suitable for performing the functions as disclosed herein, such as a cellular phone, smart phone, tablet computer, personal digital assistant, etc.
  • the mobile device 104 may not include a secure element.
  • the mobile device 104 may include a mobile payment application 106, which may be an application program stored in data storage of the mobile device 104 and executed by a processor included in the mobile device 104.
  • the mobile payment application 106 may be configured to receive and store payment credentials and conduct payment transactions via near field communication without the use of a secure element, as discussed in more detail herein.
  • the user 102 may have a payment account with an issuer 108, such as a credit card account.
  • the user 102 may desire to use their mobile device 104 to conduct payment transactions using their payment account with the issuer 108 for funding of the transactions.
  • Payment credentials corresponding to the payment account may be stored by a remote-SE (remote-secure element) system 1 10 for provisioning to the mobile device 104.
  • the remote-SE system 1 10 may include at least a payment credentials management service 1 12 and a remote notification server 1 14, each of which are discussed in more detail below.
  • the remote-SE system 1 10 may build a payment token payload in order to provision the payment credentials to the mobile device 104 for use in a payment transaction.
  • the payment token payload may be a container used to carry payment credentials from the remote-SE system 100 to the mobile payment application 106 in the mobile device 104.
  • the payment token payload may include a card profile 1 16 and a single use key 1 18, discussed in more detail below.
  • the card profile 1 16 may include the payment credentials
  • the single use key 1 18 may be a single use (e.g., one-time use) key used to generate a payment cryptogram valid for a single payment transaction.
  • the remote-SE system 1 10 and the mobile device 104 may communicate using dual channel communication, discussed in more detail below.
  • the mobile device 104 may be further configured to transmit a generated payment cryptogram and payment credentials to a point-of-sale terminal 120 at a merchant.
  • the point-of-sale terminal 120 may be any type of point-of-sale terminal or device suitable for receiving payment credentials via near field communication (NFC). Suitable methods and protocols for the secure transmission of information via NFC will be apparent to persons having skill in the relevant art.
  • the point-of-sale terminal 120 may transmit the received payment credentials and other transaction information (e.g., transaction amount, product details, etc.) to an acquirer 122, such as an acquiring bank.
  • the acquirer 122 may submit an authorization request for the payment transaction to a payment network 124.
  • the payment network 124 may be configured to process the authorization request, such as by querying the issuer 108 for approval of the payment transaction (e.g., based on funds or credits in the payment account).
  • the payment network 124 may then submit an authorization response to the acquirer 122 and/or the merchant, who may then finalize the payment transaction with the user 102.
  • Methods and systems suitable for the processing of a financial transaction will be apparent to persons having skill in the relevant art.
  • the system 100 and the use of the payment token payload may enable the user 102 to use the mobile device 104 to conduct NFC payment transactions without the use of a secure element.
  • FIG. 2 is a diagram illustrating the payment token payload provisioned to the mobile device 104 in additional detail.
  • the payment token payload may include the card profile 1 16 and the single use key 1 18.
  • the card profile 1 16 may include payment credentials provisioned to the mobile payment application 106 by the remote-SE system for use in conducting payment transactions.
  • the payment credentials included in the card profile 116 may include common payment credentials 202, magnetic stripe (mag stripe) payment credentials 204, and m/chip payment credentials 206.
  • the common payment credentials 202 may include all data elements common to any type of payment transactions, such as both mag stripe and m/chip payment transactions. Such data elements may include payment account number, tracking data, and card layout description data.
  • the mag stripe payment credentials 204 may include data elements specific to mag stripe transactions, such as the number of digits in an application transaction counter and a bitmap for an unpredictable number and the application transaction counter.
  • the m/chip payment credentials 206 may include data elements specific to m/chip payment transactions, such as issuer action codes, risk management data, and offline data authentication object lists. In some embodiments, the mag stripe payment credentials 204 may be mandatory in the card profile 1 16 and the m/chip payment credentials 206 may be optional.
  • the single use key 1 18 may be a payment token used one time to generate a payment cryptogram to be used in a payment transaction.
  • the single use key may include an application transaction counter (ATC) and a generating key 208.
  • the application transaction counter may be a count of transactions used for fraud management and authentication as will be apparent to persons having skill in the relevant art.
  • the generating key 208 may be a key used to generate a payment cryptogram used in a financial transaction.
  • the generating key 208 may generate a dynamic card validation code (CVC3) or an application cryptogram (AC).
  • the application cryptogram may be optional.
  • the single use key 1 18 may also include an identifier used to identify the card profile 1 16 to which it corresponds to. In some
  • the single use key 1 18 may be protected based on a mobile personal identification number (PIN) value.
  • PIN mobile personal identification number
  • the user 102 may provide a mobile PIN for authentication. If the mobile PIN provided is incorrect, an incorrect value of the single use key may be used by the mobile payment application 06. In such an instance, the issuer 108 will not authorize the payment transaction. Such an embodiment may result in additional security for the user 102, the issuer 108, and the merchant involved in the payment transaction.
  • FIG. 3 illustrates an alternative system 300 for generating and provisioning payment credentials to the mobile device 104 lacking a secure element.
  • the mobile device 104 may include the mobile payment application 106.
  • the mobile device 104 may also include storage 304, such as a database.
  • the remote-SE system 1 10 may include a cloud system 302.
  • the cloud system 302 may store keys, payment credentials, and an application transaction counter, which may be provisioned from the cloud system 302 to the mobile device 104 and stored in the storage 304.
  • the mobile device 104 may generate a chip authentication program (CAP) token.
  • CAP chip authentication program
  • the generation and use of CAP tokens will be apparent to persons having skill in the relevant art.
  • the mobile device 104 may transmit the generated CAP token to the cloud system 302.
  • the cloud system 302 may then authenticate (e.g., validate) the CAP token, such as by using a CAP token validation system as will be apparent to persons having skill in the relevant art.
  • the cloud system 302 may then generate unpredictable numbers, and may generate an encrypted payload including a derived dynamic card validation code key (KD C vc3) and the generated unpredictable number.
  • KD C vc3 derived dynamic card validation code key
  • the cloud system 302 may also transmit at least some of the information to the issuer 108.
  • the issuer 108 may store the received information in an issuer database 310.
  • the encrypted payload may be transmitted to the mobile device 104, which may decrypt the payload and then generate a dynamic card validation code based on the information included in the encrypted payload and stored payment credentials.
  • the user 102 may shop at a merchant 306, and, when goods or services have been selected for purchase, may transmit the payment credentials and dynamic card validation code from the mobile device 104 to the point-of-sale terminal 120.
  • the point-of-sale terminal 120 may transmit the information and relevant transaction information to the acquirer 122.
  • An acquirer processing server 312 may receive the information at the acquirer 122 and may generate and submit an authorization request for the financial transaction including the payment credentials and dynamic card validation code to the payment network 124.
  • the payment network 124 may forward relevant information to the issuer 108 for authorization of the transaction for a specific transaction amount.
  • the issuer 108 may include an issuer processing server 308.
  • the issuer processing server 308 may authenticate the dynamic card validation code based on the information stored in the issuer database 310 and received from the cloud system 302. The issuer 108 may then, based on the authentication, approve or deny the payment transaction.
  • the issuer 108 may submit a response to the payment network 124, which may then submit an authorization response to the acquirer 122.
  • the acquirer may inform the merchant 306 of the results of the authorization, who may then finalize the transaction with the cardholder 102.
  • FIG. 4 illustrates a method for dual channel communication for use in the system 100 of FIG. 1 for communication between the mobile device 104 and the remote-SE system 1 10. Dual channel communication may enable the mobile device 104 and the remote-SE system 110 to
  • Dual channel communication may include using remote notification 402 as a first channel, and mutual authentication 404 as a second channel.
  • Remote notification 402 may be performed between the remote notification service 1 14 and the mobile device 104.
  • the payment credentials management service 1 12 may generate information, such as the single use key 1 18, to be provided to the mobile payment application 106.
  • the payment credentials management service 1 12 may generate a message including the single use key encrypted with a random key to be provided and may encrypt the message using the mobile key.
  • the remote notification service 1 14 may then transmit the message to the mobile device 104 using remote notification.
  • the mobile device 104 may provide the message to the mobile payment application 106, which may then decrypt the message using the shared mobile key, and then may decrypt the encrypted single use key with the random key, and thus use the single use key in a payment transaction.
  • Methods for transmission of message using remote notification will be apparent to persons having skill in the relevant art.
  • Mutual authentication 404 may be used in instances where additional security may be desired, such as in forming an initial connection between the mobile device 104 and the remote-SE system 1 10.
  • the mutual authentication 404 may use SSL/TLS communication to authenticate the remote-SE system 1 10 to the mobile device 104, and may use an
  • SSL TLS communication is a standard method of communication as will be apparent to persons having skill in the relevant art.
  • authentication code may be a hash computed over a set of data known by both the remote-SE system 1 10 and the mobile device 104.
  • the authentication code may be computed over a unique identifier defined by the remote-SE system 1 10 to uniquely identify the mobile device 104, which may be provided to the mobile payment application 106 during initialization, discussed in more detail below.
  • the remote-SE system 1 10 may be computed over a unique identifier defined by the remote-SE system 1 10 to uniquely identify the mobile device 104, which may be provided to the mobile payment application 106 during initialization, discussed in more detail below.
  • the authentication code may be based on, in part, a session identifier.
  • the session identifier may be transmitted from the remote-SE system 1 10 to the mobile device 104 using remote notification 402.
  • the session identifier may be encrypted (e.g., using the mobile key).
  • the mobile key may be used to decrypt the session identifier to be used to build the authentication code to be used for the mutual authentication 404.
  • the mobile device 104 and the remote-SE system 1 10 may both include the mobile key to be used as a shared key for the encrypting and decrypting of messages transmitted via remote notification.
  • the mobile payment application 106 may also include a local storage encryption key.
  • the local storage encryption key may be generated by the mobile payment application 106 and used to provide the storage 304 as an encrypted local database.
  • the storage 304 may then store the shared mobile key, received payment credentials, and any additional information in the mobile device 104 to prevent unauthorized access.
  • FIG. 5 illustrates a method 500 for the initialization and use of the mobile payment application 106 in the mobile device 104.
  • the user 102 may register with the remote-SE system 1 10 to use the mobile device 104 for contactless payment transactions.
  • the user 102 may register with the remote-SE system 1 10 using the mobile device 104 or another computing device, such as a desktop computer.
  • Registration may be performed via a web browser, application program, or any other suitable method as will be apparent to persons having skill in the relevant art.
  • the user 102 may provide account information for the payment account with which the user 102 wants to use for payment transactions using the mobile device 104.
  • the user 102 may receive an activation code and may also identify and/or receive a unique identifier used to identify the user 102.
  • step 504 the user 102 may install the mobile payment
  • step 504 may be performed before or concurrently with step 502.
  • the user 102 may initialize/activate the mobile payment application 106.
  • the user 102 may enter the activation code received in step 502 into the mobile payment application 106.
  • the mobile payment application 106 may then communicate with the remote-SE system 1 10 and may receive the shared mobile key.
  • the mobile payment application 106 may also generate the local storage encryption key and encrypt the storage 304 to create the local encrypted database.
  • the remote-SE system 1 10 may transmit the card profile 1 16 to the mobile device 104.
  • the mobile device 104 may receive a remote notification message to notify the user 102 that the mobile payment application 106 must connect with the remote-SE system 1 10 using mutual authentication 404.
  • the remote- SE system 1 10 may then transmit the card profile including payment credentials for the account specified by the user 102 in step 502, which may then be stored by the mobile payment application 106 in the local encrypted database 304.
  • the remote-SE system 1 10 may transmit a single use key 1 18 to the mobile payment application 106.
  • the transmission may be performed using mutual authentication 404 in the same process performed in step 510.
  • steps 508 and 510 may be combined in a single step, such that the remote-SE system may transmit both the card profile 1 16 and a single use key 1 18 to the mobile payment application 106 in a single or consecutive transactions.
  • the mobile device 104 may conduct a contactless/NFC payment transaction using the mobile payment application 106 and the single use key 1 18.
  • the mobile payment application 106 may generate a payment cryptogram, discussed in more detail below, and may transmit the generated cryptogram and payment credentials to a point-of-sale terminal 120. Methods for transmitting payment credentials and a payment cryptogram to a point-of-sale terminal 120 via NFC will be apparent to persons having skill in the relevant art.
  • the mobile payment application 106 may identify if there are any single use keys 1 18 available for use in subsequent payment transactions. If there are additional keys 1 18 available for use, then the method 500 may return to step 512 where additional payment transactions may be conducted with the remaining single use key(s) 1 18. If there are no single use keys 1 18 remaining, then, the method 500 may return to step 510 where connection may be made with the remote-SE system 1 10 and a new single use key 1 18 provisioned to the mobile device 104.
  • FIG. 6 illustrates a more detailed version of the system 100 and illustrates the process by which payment credentials may be generated and provisioned to the mobile device 104 and the mobile device 104 used to conduct a contactless payment transaction without the use of a secure element.
  • the user 102 may register with the remote-SE system 110.
  • the remote-SE system 1 10 may store the user registration information (e.g., payment account information) in a database 602 and may return an activation code to the user 102.
  • the user 102 may then install the mobile payment application 106 on the mobile device 104 and activate the mobile payment application 106 using the activation code.
  • the remote-SE system 1 10 may transmit a shared mobile key 604 to the mobile payment application 106.
  • the mobile payment application 106 may also generate a local storage encryption key and may encrypt the storage 304 on the mobile device 104.
  • the mobile key 604 may be stored in the local encrypted database 304.
  • the payment credentials management servicel 12 may store the shared mobile key 604 in the database 602.
  • the payment credentials management service 1 12 may also identify payment credentials
  • the remote notification service 1 14 may transmit a remote notification to the mobile device 104 to indicate to the user 102 that the card profile 1 16 is ready to be downloaded to the mobile payment application 106.
  • the mobile payment application 106 may then communicate with the payment credentials management service 1 12 using mutual authentication and receive the card profile 116 from the remote-SE system.
  • the mobile payment application 106 may then store the received card profile 1 16 in the local encrypted database 304.
  • the payment credentials management service 1 12 may also generate a single use key 1 18 including a generating key. In some embodiments, the single use key 1 18 may be generated in response to the receipt of a key request from the mobile device 104. In a further,
  • the key request may include a mobile PIN.
  • the payment credentials management service 1 12 may have previously stored the mobile PIN (e.g., as set by the user 102) in the database 602.
  • the payment credentials management service 1 12 may then transmit the generated single use key 1 18 to the mobile device 104, which may then store the single use key 1 18 in the local encrypted database 304.
  • the single use key 118 may be incorrect (e.g., fake, not genuine, etc.) if the key request includes a mobile PIN for which
  • the key may have been combined with the PIN such that when used it is incorrect without any explicit authentication step.
  • the card profile 1 16 and/or the single use key 1 18 may be encrypted by the payment credentials management service 1 12 prior to transmission to the mobile device 104, such as by using the mobile key 604.
  • the mobile payment application 106 may then decrypt the received message, also using the shared mobile key 604, or, in some embodiments, a random key.
  • the user 102 may shop at a merchant 306 and select goods or services for purchase. The user 102 may then input to the mobile payment application 106 that a payment transaction is to be conducted. The mobile payment application 106 may then generate a payment cryptogram using the generating key included in the single use key 1 18.
  • the payment cryptogram may be, for example, an application cryptogram or a dynamic card validation code (CVC3).
  • CVC3 dynamic card validation code
  • the merchant point-of-sale terminal 120 may transmit the received payment information and any additional transaction information (e.g., transaction amount, merchant identifier, etc.) to the acquirer processing server 312 of the acquirer 122.
  • the acquirer processing server 312 may then generate and submit an authorization request for the financial transaction to the payment network 124.
  • the payment network 124 may transmit relevant transaction data, such as the payment information and transaction amount, to the issuer processing server 308.
  • the issuer processing server 308 may then validate the application cryptogram. If the validation is successful, the issuer may approve the payment transaction for the transaction amount (e.g., based on an available amount, credit, etc. for the payment account). If the validation is unsuccessful, the issuer may deny the payment transaction. Methods for validating a cryptogram will be apparent to persons having skill in the relevant art.
  • the remote-SE system 1 10 may transmit information to the issuer 108 for storage in the issuer database 310, such as for fraud management.
  • information will be apparent to persons having skill in the relevant art and may include, for example, application transaction counters. Methods suitable for performing the functions as disclosed herein are discussed in more detail below with respect to the flow diagrams illustrated in FIGS. 8-14.
  • FIG. 7 illustrates a more detailed version of the alternative system 300 and illustrates the process by which payment credentials may be generated and provisioned to the mobile device 104 and the mobile device 104 used to conduct a contactless payment transaction without the use of a secure element.
  • the user 102 may install the mobile application program 106 on the mobile device 104.
  • the mobile application program 106 may store authentication keys and credentials in the storage 304 as received from the remote-SE system 1 10.
  • a storage key (KSTO AGE) may be stored in the storage 304 as well.
  • additional information including static payment credentials, may be stored in the storage 304.
  • the user 102 may launch the mobile payment application 106 using the mobile device 104.
  • the mobile payment application 106 may connect with the remote-SE system 1 10 via the cloud system 302, such as by using SSL authentication or any other suitable method for authenticated transmission.
  • the cloud system 302 may transmit payment credentials to the mobile payment application 106, which may then be stored in the storage 304.
  • the mobile payment application 106 may generate a CAP token used for authentication.
  • the user 102 may supply additional authentication credentials, such as a gesture, a password, or a biometric identifier.
  • the mobile payment application 106 may transmit the generated CAP token to the remote-SE system 100.
  • the CAP token may be forward to a CAP token validation service (CTVS) 702.
  • CTVS 702 may validate the CAP token using methods apparent to persons having skill in the relevant art.
  • the results of the validation may be sent to the payment credentials management system 704.
  • the payment credentials management system 704 may be operated by or on behalf of the issuer 108.
  • the payment credentials management system 704 may generate an encrypted payload.
  • the payment credentials management system 704 may generate a session key unpredictable number (KSUN), a cloud unpredictable number (UNCLOUD), and may identify and/or store a plurality of dynamic card validation code (CVC3) keys and the KSTORAGE.
  • KSUN session key unpredictable number
  • UNCLOUD cloud unpredictable number
  • CVC3 dynamic card validation code
  • Methods and systems for the generation of unpredictable numbers will be apparent to persons having skilled in the relevant art.
  • the encrypted payload may include at least one CVC3 key, the KSUN, and the application transaction counter and may be generated using a derived CVC3 key (KD C vc3)- In one embodiment, the KD C vc3 used may be fake if the CAP token validation is unsuccessful.
  • KD C vc3 derived CVC3 key
  • the payload may be encrypted using the KSTORAGE- [0085]
  • the payment credentials management system 704 may perform a synchronization process with the issuer 108.
  • the synchronization process may include defining rules for the validity of the values generated by the mobile payment application 106 for conducting a payment transaction.
  • the process may include transmitting at least the KSUN, application transaction counter, and UNCLOUD to the issuer 108 for storage in the issuer database 310.
  • the encrypted payload may be transmitted to the cloud system 302 for transmitting to the mobile payment application 106 in stage 9.
  • the encrypted payload may be decrypted using the K STO RAGE and stored in the storage 304.
  • the user 102 may shop at the merchant 306 and select goods or services for purchase.
  • the mobile payment application 106 may generate a payment CVC3 value.
  • the mobile device 104 may communicate with the point-of-sale terminal 120.
  • the point-of-sale terminal 120 may generate a reader unpredictable number (UN RE ADER) and transmit the UNREADER to the mobile payment application 106, which may then generate the payment CVC3 value using the information in the encrypted payload and the UNREADER-
  • the generated payment CVC3 value and the application transaction counter may be transmitted to the point-of-sale terminal 120 via NFC.
  • the user 102 may be required to enter a PIN at the point-of-sale terminal 120 for additional authentication at stage 13.
  • the point-of-sale terminal 120 may execute standard NFC payment transaction processes as will be apparent to persons having skill in the relevant art.
  • the point-of-sale terminal 120 may generate an authorization request for the payment transaction, which may include the UNREADER, the generated CVC3 value, the application transaction counter, and, if applicable, the PI N value input by the user 102.
  • the acquirer processing server 312 may translate the PI N included in the authorization request using methods apparent to persons having skill in the relevant art. It will be further apparent that stage 16 may be optional.
  • the authorization request may be forwarded to the payment network 124, which may forward the authorization request and/or information included in the authorization request to the issuer 08.
  • the issuer may verify the translated PI N.
  • the issuer 108 may identify if additional processing is necessary and may, if necessary, retrieve the values stored in the issuer database 310.
  • the issuer processing server 308 may validate the payment CVC3 value using at least the UNREADER, UNQLOUD, and application transaction counter. Methods for validating a CVC3 will be apparent to persons having skill in the relevant art.
  • the issuer 108 may submit a response based on the validation, and the method may proceed accordingly as in traditional payment transactions.
  • FIG. 8 is a flow diagram illustrating a method for the user 102 to register with the remote-SE system 1 10 to enable a payment account for remote payment transactions using a mobile device 104 lacking a secure element.
  • the user 102 may access the registration system of the remote-SE system 110.
  • the user 102 may access the system via a web browser 804, which may be executed on a computing device.
  • the computing device may be the mobile device 104.
  • the user 102 may navigate to a webpage hosted by or on behalf of the remote-SE system 1 10.
  • the user 102 may register with the payment credentials management service 1 12 via the browser 804. As part of the registration, the user 102 may provide account details for a payment account, and the payment credentials management service 1 12 may ensure the payment account is eligible for remote payment transactions.
  • the payment credentials management service 1 12 may create a user profile for the user 102 in the remote-SE system 1 10. In some embodiments, a user profile may also be created in the issuer system 108. As part of the creation of the user profile, the payment credentials management service 1 12 may generate and/or identify an activation code. At step 812, the user registration may be completed and the activation code transmitted back to the 102 via the browser 804. At step 814, the payment credentials management service 1 12 may synchronize information (e.g., the user profile, activation code status, etc.) with the issuer 108 for fraud management. It will be apparent to persons having skill in the relevant art that step 814 may be optional.
  • information e.g., the user profile, activation code status, etc.
  • the user 102 may receive the activation code via the web browser 804.
  • the user 102 may download the mobile payment application 106 to the mobile device 104.
  • the user 102 may utilize an app store 802, such as the Apple® App Store, to download the mobile payment application 106.
  • the mobile payment application 106 may be validated and installed on the mobile device at step 820 using methods and systems apparent to persons having skill in the relevant art.
  • the mobile payment application 106 may be successfully installed on the mobile device 104 and may await initialization.
  • FIG. 9 is a flow diagram illustrating a method for initialization of the mobile payment application 106 on the mobile device 104 for use in contactless payment transactions.
  • the user may start (e.g., execute) the mobile payment application on the mobile device 104.
  • the mobile payment application 106 may perform an integrity check. As part of the integrity check, the mobile payment application 106 may authenticate the user 102 and request the activation code provided to the user 102 during the registration process (e.g., at step 812 in FIG. 8).
  • the mobile payment application 106 may generate a unique identifier and additional values and keys, such as a local database storage key (e.g., mobile storage key).
  • the mobile payment application 106 may connect to the payment credentials management service 1 12 using mutual authentication.
  • the mobile payment application 106 may transmit the activation code and any other additional user authentication information (e.g., a user identifier, a password, etc.) as a method of authentication.
  • the mobile payment application 106 may also transmit the generated unique identifier.
  • the user 102 may also provide a mobile PIN to be transmitted to the payment credentials management service 1 12 as part of step 908.
  • the payment credentials management service 1 12 may validate the mobile payment application 106 using the provided
  • the authentication information may, if validated, update the user profile to include the unique identifier.
  • the payment credentials may, if validated, update the user profile to include the unique identifier.
  • the payment credentials management service 1 12 may also register the mobile device 104 with the remote notification service 1 14 using the unique identifier.
  • the payment credentials management service 1 12 may generate the shared mobile key 604 and may store the shared mobile key 604 in the user profile.
  • the payment credentials management service 1 12 may synchronize with the issuer 108 for fraud management.
  • the mobile payment application 106 may receive the shared mobile key 604 from the payment credentials management service 1 12 and may store the mobile key 604 in the encrypted local storage 304.
  • the mobile payment application 106 may wipe the mobile storage key, such that the encrypted local storage 304 may not be access without authorization.
  • the mobile payment application 106 may store data with which the mobile storage key is generated separate from the encrypted local storage 304 for use in regenerating the mobile storage key for access to the encrypted local storage 304.
  • the mobile payment application 106 may be ready for remote management by the payment credentials management service 112. In some embodiments, the mobile payment application 106 may notify the user 102 when initialization is completed.
  • FIG. 10 is a flow diagram illustrating a method for remote
  • the payment credentials management service 1 12 may receive a trigger to start the remote management of the mobile payment application 106.
  • the trigger may be received from the payment credentials management service 1 12 itself based on predefined rules.
  • the trigger may be received from the issuer 108.
  • the payment credentials management service 1 12 may prepare data for remote notification. The preparation of data may include the building of a notification based on a function to be performed, such as the provisioning of the card profile 1 16, provisioning of a single use key 1 18, changing of the mobile PIN, etc. An exemplary method for provisioning of the card profile 1 16 to the mobile device 104 is discussed in more detail below with reference to FIG. 1 1.
  • the payment credentials management service 1 12 may build a message including the notification and a session identifier, and then may encrypt the message using the mobile key 604.
  • the payment credentials management service 1 12 may also identify the mobile device 104 for receipt using the unique identifier in the user profile.
  • step 1004 may include the provisioning of the single use key 1 18, the single use key 1 18 may be encrypted using a random key (e.g., or suitable key other than the mobile key 604), and then the encrypted single use key may be encrypted using the mobile 604 and provisioned to the mobile payment application 106 similar to the encryption and transmission of the message as disclosed herein.
  • the payment credentials management service 1 12 may transmit the encrypted message to the mobile payment application 106 using remote notification 402.
  • remote notification 402 may include the forwarding of the encrypted message to the remote notification service 1 14, which may transmit the encrypted message to the mobile device 104 using remote notification, which may then make the encrypted message available to the mobile payment application 106.
  • the mobile payment application 106 may receive the encrypted message.
  • step 1010 the user 102 may start the mobile payment application 106. It will be apparent to persons having skill in the relevant art that step 1010 may be optional (e.g., the mobile payment application 106 may start upon receipt of the encrypted message, the mobile payment application 106 may always run in the background, etc.).
  • step 1012 the mobile payment application 106 may start, which may include regenerating the mobile storage key, retrieving the mobile key 406 from the local encrypted storage 304, and decrypting the message using the retrieved mobile key 406.
  • step 1014 the mobile payment application 106 may connect to the payment credentials management service 1 12 using mutual
  • the payment credentials management service 1 12 may validate the authentication credentials transmitted by the mobile payment application 106. If validated, the payment credentials management service 1 12 may then have a secure connection with the mobile payment application 106 and may proceed with the function indicated in the notification.
  • FIG. 1 1 is a flow diagram illustrating a method for provisioning the card profile 1 16 to the mobile payment application 106 of the mobile device 104 by the payment credentials management service 1 12.
  • the payment credentials management service 12 may build the payment token payload card profile 1 16.
  • the card profile 1 16 may include payment credentials for the payment account indicated by the user 102 during registration, which may have been stored in the user profile.
  • the payment credentials management service 1 12 may build the card profile by generating a message including the payment credentials, generating a mobile session key, and encrypting the message using the mobile session key.
  • the payment credentials management service 1 12 may store the card profile 1 16 in the user profile and, in step 1 104, may transmit the message including the card profile 116 to the mobile payment application 106.
  • the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message.
  • the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message.
  • the mobile payment application 106 may build a receipt message indicating successful receipt and validation of the card profile 1 16, and may be used as an activation message and/or used to carry information from the mobile payment application 106 to the remote- SE system 1 10.
  • the receipt message may be encrypted using the mobile session key.
  • the mobile payment application 106 may also update a status to indicate that the card profile 1 16 is successfully received and stored.
  • the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated.
  • the payment credentials management service 1 12 may activate the card profile 1 16 and may update the user profile accordingly.
  • the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the card profile 1 16 has been activated and may wipe the mobile session key.
  • the payment credentials management service 1 12 may synchronize the user profile indicating activation of the card profile 116 with the issuer 108 for fraud management.
  • step 1 120 the mobile payment application 106 may analyze the return code indicating activation of the card profile 1 16.
  • step 1122 the mobile payment application 106 may wipe the mobile session key, and in step 1 124 may be ready to receive single use keys 1 18 for use in conducting payment transactions.
  • the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that single use keys 1 18 may be received.
  • FIG. 12 is a flow diagram illustrating a method for the provisioning of single use keys 1 18 to the mobile payment application 106 in the mobile device 104 by the payment credentials management service 1 2 for use in payment transactions.
  • the encrypted single use key 118 may be previously transmitted to the mobile payment application 106 in a message encrypted by the mobile key 604.
  • the payment credentials management service 1 12 may build a message with an action to activate (e.g., decrypt) the previously provisioned single use key 1 18, the message including the random key used to encrypt the single use key 1 18.
  • the payment credentials management service 1 12 may then generate a mobile session key and then may encrypt the message including the random key using the mobile session key.
  • the payment credentials management service 1 12 may then, in step 1204, transmit the message including the random key to the mobile payment application 106.
  • the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message.
  • the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message.
  • the mobile payment application 106 may also decrypt the single use key 1 18 using the random key included in the decrypted message, and may validate the decrypted single use key 1 18.
  • the mobile payment application 106 may build a receipt message indicating successful receipt and validation of the single use key 1 18.
  • the receipt message may be encrypted using the mobile session key.
  • the mobile payment application 106 may also update a status to indicate that the single use key 1 18 is successfully received and stored and that the mobile payment application 106 is ready to conduct a payment transaction.
  • the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated.
  • the payment credentials management service 1 12 may activate the single use key 1 18 and may update the user profile accordingly.
  • the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the single use key 1 18 has been activated and may wipe the mobile session key.
  • the payment credentials management service 1 12 may synchronize the user profile indicating activation of the single use key 1 18 with the issuer 108 for fraud management.
  • the mobile payment application 106 may analyze the return code indicating activation of the single use key 1 18.
  • the mobile payment application 106 may wipe the mobile session key, and in step 1224 may be ready to conduct a contactless payment transaction.
  • the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that the mobile payment application 106 is ready to conduct a contactless payment transaction.
  • FIG. 13 is a flow diagram illustrating a method for the management of a change in the mobile PIN of the user 102 in the mobile payment application 106 by the payment credentials management service 1 12.
  • the payment credentials management service 1 12 may build a remote management action indicating a change to the mobile PIN and removal of all stored single use keys 1 18.
  • the payment credentials management service 1 12 may build a message including the remote management action, generate a mobile session key, and encrypt the message using the mobile session key.
  • the payment credentials management service 1 12 may, in step 1304, transmit the message including remote management action to the mobile payment application 106.
  • the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message.
  • the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message. Once the message has been validated, the mobile payment application may update the card profile 1 16 accordingly and may remove any available single use keys 1 18 from the encrypted local storage 304. Then, at step 1310, the mobile payment application 106 may build a receipt message indicating successful receipt and execution of the remote management action. The receipt message may be encrypted using the mobile session key.
  • the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated.
  • the payment credentials management service 1 12 may update the user profile accordingly.
  • the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the user profile has been updated and no single use keys 118 have been issued, and may wipe the mobile session key.
  • the payment credentials management service 1 12 may synchronize the user profile indicating the change to the mobile PIN and wiping of single use keys 1 18 with the issuer 108 for fraud management.
  • step 1320 the mobile payment application 106 may analyze the return code.
  • step 1322 the mobile payment application 106 may wipe the mobile session key, and in step 1324 may be ready to receive single use keys 1 18 for use in conducting payment transactions.
  • the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that single use keys 1 18 may be received.
  • FIG. 14 is a flow diagram illustrating a method for conducting a contactless payment transaction using the mobile payment application 106 on the mobile device 104 using the card profile 1 16 and single use key 1 18 provisioned by the payment credentials management service 1 12.
  • the user 102 may start the mobile payment application 106 on the mobile device 104.
  • the mobile payment application 106 may prepare for payment.
  • the mobile payment application 106 may regenerate the mobile storage key and may retrieve the payment credentials and generating key from the card profile 1 16 and the single use key 1 18 in the encrypted local storage 304.
  • the generating key may be used by the mobile payment application 106 to generate a payment cryptogram for use in the payment transaction.
  • the mobile payment application 106 may also indicate to the user 102 that the application is ready for payment.
  • a NFC payment method may be executed between the user 102, the mobile device 104, the mobile payment application 106, and the point-of-sale terminal 120.
  • Methods for executing transmission of payment credentials from a mobile device to a point-of-sale terminal will be apparent to persons having skill in the relevant art.
  • the point-of-sale terminal 120 at the merchant 306 may provide transaction data to the acquirer 122 including the payment credentials and payment cryptogram.
  • the acquirer 122 may submit an authorization request including the transaction data to the payment network 124.
  • the payment network 124 may seek authorization from the issuer 108 for the payment transaction and may forward relevant information to the issuer 108.
  • the issuer 108 may validate the payment cryptogram using methods that will be apparent to persons having skill in the relevant art. The issuer 108 may, once the payment cryptogram is validated, approve or deny the payment transaction (e.g., based on a transaction amount and available credit in the payment account for the user 102) and notify the payment network 124.
  • the payment network 124 may submit an authorization response to the acquirer 122, which may then forward the response to the merchant 306 and/or point-of-sale terminal 120 at step 1418.
  • the merchant may finalize the payment transaction, such as by providing the transacted goods or services to the user 102 or by providing a receipt to the user 102.
  • the mobile payment application 106 may, at step 1422, update the payment token payload stored in the encrypted local storage 304 based on the outcome of the payment transaction.
  • the mobile payment application 106 may wipe the mobile storage key, and at step 1426, may indicate (e.g., to the user 102) that the mobile payment application 106 is ready for another contactless payment transaction (e.g., if additional single use keys 1 18 are available) or to receive single use keys 1 18.
  • the payment transaction may be conducted via the use of local data authentication (LDA).
  • LDA local data authentication
  • the storage of payment credentials received by the mobile device 104 in the encrypted local storage 304 may be such that CDA (combined dynamic data authentication/application cryptogram generation) may be unavailable to support traditional card verification methods to verify the payment credentials used in the financial transaction.
  • the point-of-sale terminal 120 may be configured such that it may require authentication by the user 102 at both the mobile device 104 (e.g., entering of the mobile PIN) and the point-of-sale terminal 120 (e.g., entering of an online PIN or signature).
  • LDA may be used in order to provide card authentication support such that a financial transaction may be supported by the point-of-sale terminal 120 utilizing a single point of authentication (e.g., the mobile PIN).
  • the card profile 1 16 may further include one RSA key pair and certificate.
  • the performing of the LDA may include the swapping of the meaning of the effective date and the expiration date in the payment credentials included in the card profile 1 16, and the setting of at least one issuer action code to force the payment transaction to be an online transaction.
  • the expiration date may be set as a date prior to the date of issuance, or the effective date may be set as a date beyond the expiry date, or both may be set as defined. This may result in the point-of-sale terminal 120 declining the transaction due to the expiration and/or effective dates, but transmitting the transaction for online
  • performing LDA may further include setting an issuer action code configured to decline offline transactions (e.g., such that if the point-of-sale terminal 120 is an offline-only terminal it may decline all such transactions).
  • FIG. 15 is a flow chart illustrating a method 1500 for generating and provisioning payment credentials to a mobile device lacking a secure element.
  • a card profile (e.g., the card profile 1 16) associated with a payment account may be generated by a processing device (e.g., of the payment credentials management service 1 12), wherein the card profile 1 16 includes at least payment credentials corresponding to the associated payment account and a profile identifier.
  • the generated card profile 1 16 may be provisioned to a mobile device (e.g., the mobile device 104) lacking a secure element.
  • provisioning the card profile 1 16 may include building a message including the generated card profile 1 16, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device 104.
  • a key request may be received from the mobile device 104, wherein the key request includes at least a mobile personal identification number (PIN) and the profile identifier.
  • an authentication device e.g., of the payment credentials management service 1 12
  • the authentication device may use the mobile PIN.
  • the authentication device may use the mobile PIN using an XOR method.
  • a single use key (e.g., the single use key 1 18) may be generated by the processing device, wherein the single use key 1 18 includes at least the profile identifier, an application transaction counter, and a generating key for use in
  • the single use key 1 18 may be genuine if the mobile PIN is successfully authenticated in step 1508, and fake if the mobile PIN is unsuccessfully authenticated.
  • the method 1500 may further include transmitting the generated single use key 1 18 to an issuer associated with the payment account.
  • the generated single use key 1 18 may be inactive.
  • the generated single use key 1 18 may be transmitted, by a transmitting device, to the mobile device 104.
  • transmitting the generated single use key 1 18 may include building a message including the generated single use key 1 18, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device 104.
  • the method 1500 may further include receiving, from the mobile device 104, and indication of use of the single use key 1 18 and activating, by the processing device, the generated single use key 1 18.
  • the method 1500 may also include transmitting, by the transmitting device, an indication of activation of the single use key 1 18 to an issuer (e.g., the issuer 108) associated with the payment account.
  • FIG. 16 is a flow chart illustrating a method 1600 for generating a payment cryptogram in a mobile device (e.g., the mobile device 104) lacking a secure element.
  • a card profile (e.g., the card profile 1 16) may be received by a receiving device (e.g., in the mobile device 104), wherein the card profile 1 16 includes at least payment credentials corresponding to a payment account and a profile identifier.
  • receiving the card profile 1 16 may include receiving an encrypted message including the card profile 1 16, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included card profile 1 16.
  • the card profile 1 16 may be configured to utilize local data authentication, wherein the local data authentication includes swapping, in the payment credentials, the meaning of an expiration date and an effective date, and setting an issuer action code configured to force the financial transaction to be an online transaction.
  • the expiration date may be set as a date prior to the date of issuance, or the effective date may be set as a date beyond the expiry date, or both may be set as defined.
  • the card profile 1 16 may further include one RSA key pair and certificate.
  • an input device e.g., of the mobile device 104, such as a touch screen
  • a transmitting device may transmit a key request, wherein the key request includes at least the profile identifier.
  • a single use key (e.g., the single use key 1 18) may be received, by the receiving device, wherein the single use key 1 18 includes at least an application transaction counter and a generating key.
  • receiving the single use key 1 18 may include receiving an encrypted message including the single use key 1 18, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included single use key 1 18.
  • a payment cryptogram valid for a single payment transaction may be generated, by a processing device, based on at least the received single use key 108 and the mobile PIN.
  • the payment cryptogram may be an application cryptogram or a dynamic card validation code.
  • at least the payment credentials and the generated payment cryptogram may be transmitted, via near field communication, to a point-of-sale terminal (e.g., the point-of-sale terminal 120) for use in a financial transaction.
  • the method 1600 may further include receiving, by the input device, an indication of use of the received single use key 1 18, transmitting, by the transmitting device, an activation request including at least the profile identifier, and receiving, by the receiving device, an indication of activation of the single use key 1 18.
  • the payment credentials and generated payment cryptogram may be transmitted to the point-of-sale terminal 120 in response to receiving the indication of activation of the single use key 1 18.
  • the payment cryptogram may be generated in response to receiving the indication of activation of the single use key 118.
  • FIG. 17 is a flow chart illustrating an alternative method 1700 for generating and provisioning payment details to a mobile device (e.g., the mobile device 104) lacking a secure element.
  • step 1702 at least a storage key, a plurality of dynamic card validation code (CVC3) keys, and an application transaction counter associated with a mobile application program (e.g., the mobile payment application 106) may be stored in a database (e.g., the storage 304).
  • a database e.g., the storage 304.
  • step 1 04 at least the storage key, an authentication component, and static payment credentials may be provisioned to the mobile device 104, wherein the static payment credentials are associated with a payment account.
  • a chip authentication program (CAP) token may be received from the mobile device 104.
  • the authenticity of the received CAP token may be validated by a validation service (e.g., the CTVS 702).
  • the CAP token may be validated based on at least the provisioned authentication component and an additional credential received from the mobile device 104.
  • the additional credential may be at least one of: a gesture, a password, a passcode, and a biometric identifier.
  • validating the authenticity of the CAP token may include validating the authenticity of the CAP token based on at least the application transaction counter.
  • a session key unpredictable number may be generated by a processing device (e.g., the cloud system 302).
  • a cloud unpredictable number may be generated by the processing device 302.
  • the processing device 302 may identify an encrypted payload based on a derived CVC3 key (KD C vc3), wherein the encrypted payload includes at least a CVC3 key of the plurality of CVC3 keys, the KSUN, and the application transaction counter.
  • KD C vc3 may be genuine if the received CAP token is successfully validated, and may be fake if the received CAP token is unsuccessfully validated.
  • the payload may be encrypted using at least the storage key.
  • a transmitting device may transmit the encrypted payload to the mobile device 104 for use in generating a CVC3 value for use in a financial transaction.
  • the transmitting device may transmit at least the KSUN, UNCLOUD, and application transaction counter to an issuer (e.g., the issuer 108) associated with the payment account for use in validating the generated CVC3 value used in the financial transaction.
  • FIG. 18 is a flow chart illustrating a method 1800 for generating a dynamic card validation code (CVC3) value in a mobile device (e.g., the mobile device 104) lacking a secure element.
  • CVC3 dynamic card validation code
  • step 1802 at least a storage key, an authentication component, and static payment credentials may be received by a receiving device.
  • at least one additional credential may be received by an input device (e.g., of the mobile device 104).
  • the at least one additional credential may include at least one of: a gesture, a password, a passcode, and a biometric identifier.
  • a chip authentication program (CAP) token may be generated by a processing device, wherein the CAP token is based on at least the authentication component and the at least one additional credential.
  • CAP chip authentication program
  • step 1808 the generated CAP token may be transmitted by a transmitting device.
  • an encrypted payload may be received by the receiving device, wherein the encrypted payload includes at least a supplied CVC3 value, session key unpredictable number, and an application transaction counter.
  • the processing device may decrypt the encrypted payload using at least the received storage key.
  • a reader unpredictable number may be received, via near field communication, from a point-of-sale terminal (e.g., the point-of- sale terminal 120).
  • the processing device may generate a payment CVC3 value based on at least the supplied CVC3 value, the session key unpredictable number, the application transaction counter, and the reader unpredictable number.
  • the generated payment CVC3 value and the application transaction counter may be transmitted, via near field communication, to the point-of-sale terminal 120 for including in an authorization request in a financial transaction.
  • FIG. 19 illustrates a computer system 1900 in which embodiments of the present disclosure, or portions thereof, may be implemented as computer-readable code.
  • the payment credentials may be implemented as computer-readable code.
  • the remote notification service 1 14, the mobile device 104, the acquirer processing server 312, and the issuer processing server 308 may be implemented in the computer system 1900 using hardware, software, firmware, non-transitory computer readable media having instructions stored thereon, or a combination thereof and may be
  • FIGS. 6-18 Hardware, software, or any combination thereof may embody modules and components used to implement the methods of FIGS. 6-18.
  • programmable logic may execute on a commercially available processing platform or a special purpose device.
  • a person having ordinary skill in the art may appreciate that embodiments of the disclosed subject matter can be practiced with various computer system configurations, including multi-core multiprocessor systems, minicomputers, mainframe computers, computers linked or clustered with distributed functions, as well as pervasive or miniature computers that may be embedded into virtually any device.
  • at least one processor device and a memory may be used to implement the above described embodiments.
  • a processor device as discussed herein may be a single processor, a plurality of processors, or combinations thereof. Processor devices may have one or more processor “cores.”
  • the terms "computer program medium,” “non-transitory computer readable medium,” and “computer usable medium” as discussed herein are used to generally refer to tangible media such as a removable storage unit 1918, a removable storage unit 1922, and a hard disk installed in hard disk drive 1912.
  • Processor device 1904 may be a special purpose or a general purpose processor device.
  • the processor device 1904 may be connected to a communication infrastructure 1906, such as a bus, message queue, network, multi-core message-passing scheme, etc.
  • the network may be any network suitable for performing the functions as disclosed herein and may include a local area network (LAN), a wide area network (WAN), a wireless network (e.g., WiFi), a mobile communication network, a satellite network, the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof.
  • LAN local area network
  • WAN wide area network
  • WiFi wireless network
  • mobile communication network e.g., a mobile communication network
  • satellite network the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof.
  • RF radio frequency
  • the computer system 1900 may also include a main memory 1908 (e.g., random access memory, read-only memory, etc.), and may also include a secondary memory 910.
  • the secondary memory 1910 may include the hard disk drive 1912 and a removable storage drive 1914, such as a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, etc.
  • the removable storage drive 1914 may read from and/or write to the removable storage unit 1918 in a well-known manner.
  • the removable storage unit 1918 may include a removable storage media that may be read by and written to by the removable storage drive 1914.
  • the removable storage drive 1914 is a floppy disk drive
  • the removable storage unit 1918 may be a floppy disk.
  • the removable storage unit 1918 may be non-transitory computer readable recording media.
  • the secondary memory 1910 may include alternative means for allowing computer programs or other instructions to be loaded into the computer system 1900, for example, the removable storage unit 1922 and an interface 1920.
  • Examples of such means may include a program cartridge and cartridge interface (e.g., as found in video game systems), a removable memory chip (e.g., EEPROM, PROM, etc.) and associated socket, and other removable storage units 1922 and interfaces 1920 as will be apparent to persons having skill in the relevant art.
  • Data stored in the computer system 1900 may be stored on any type of suitable computer readable media, such as optical storage (e.g., a compact disc, digital versatile disc, Blu-ray disc, etc.) or magnetic tape storage (e.g., a hard disk drive).
  • the data may be configured in any type of suitable database configuration, such as a relational database, a structured query language (SQL) database, a distributed database, an object database, etc. Suitable configurations and storage types will be apparent to persons having skill in the relevant art.
  • the computer system 1900 may also include a communications interface 1924.
  • the communications interface 1924 may be configured to allow software and data to be transferred between the computer system 1900 and external devices.
  • Exemplary communications interfaces 1924 may include a modem, a network interface (e.g., an Ethernet card), a
  • Software and data transferred via the communications interface 1924 may be in the form of signals, which may be electronic, electromagnetic, optical, or other signals as will be apparent to persons having skill in the relevant art.
  • the signals may travel via a communications path 1926, which may be configured to carry the signals and may be implemented using wire, cable, fiber optics, a phone line, a cellular phone link, a radio frequency link, etc.
  • Computer program medium and computer usable medium may refer to memories, such as the main memory 1908 and secondary memory 1910, which may be memory semiconductors (e.g. DRAMs, etc.). These computer program products may be means for providing software to the computer system 1900.
  • Computer programs e.g., computer control logic
  • Computer programs may be stored in the main memory 1908 and/or the secondary memory 1910. Computer programs may also be received via the communications interface 1924.
  • Such computer programs when executed, may enable computer system 1900 to implement the present methods as discussed herein.
  • the computer programs, when executed may enable processor device 1904 to implement the methods illustrated by FIGS. 6-18, as discussed herein. Accordingly, such computer programs may represent controllers of the computer system 1900.
  • the software may be stored in a computer program product and loaded into the computer system 1900 using the removable storage drive 1914, interface 1920, and hard disk drive 1912, or communications interface 1924.
  • Techniques consistent with the present disclosure provide, among other features, systems and methods for the provisioning of payment credentials to mobile devices lacking a secure element and the generation of payment cryptograms based thereon. While various exemplary

Abstract

A method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device lacking a secure element, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier; using the mobile PIN; generating a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and transmitting the generated single use key to the mobile device.

Description

SYSTEMS AND METHODS FOR PROCESSING MOBILE PAYMENTS BY PROVISONING CREDENTIALS TO MOBILE DEVICES WITHOUT SECURE ELEMENTS
RELATED APPLICATIONS
[0001] This application claims the priority benefit of commonly assigned U.S. Provisional Application No. 61/619,095, filed April 2, 2012, entitled "Method and System for Processing Mobile Payments for Devices Without Secure Elements"; U.S. Provisional Application No. 61/639,248, filed
April 18, 2012, entitled "Method and System for Processing Mobile
Payments by Provisioning Credentials to Mobile Devices Without Secure Elements"; U.S. Provisional Application No. 61/735,383, filed December 10, 2012, entitled "Systems and Methods for Processing Mobile Payments by Provisioning Credentials to Mobile Devices Without Secure Elements," by Mehdi Collinge et al.; U.S. Provisional Application No. 61/762,098, filed February 7, 2013, entitled "Systems and Methods for Processing Mobile Payments by Provisioning Credentials to Mobile Devices Without Secure Elements," by Mehdi Collinge et al.; and U.S. Patent Application No.
13/827,042, filed March 14, 2013, entitled "Systems and Methods for Processing Mobile Payments by Provisioning Credentials to Mobile Devices Without Secure Elements," by Mehdi Collinge et al., which are each herein incorporated by reference in their entirety.
FIELD
[0002] The present disclosure relates to provisioning of payment credentials to a mobile device lacking a secure element, specifically the provisioning and storage of payment credentials for use in conducting a near field financial transaction using a mobile device lacking a secure element.
BACKGROUND
[0003] Advances in both mobile and communication technologies have created tremendous opportunities, one of which is providing user of mobile computing devices the ability to initiate payment transactions using their mobile device. One such approach to enable mobile devices to conduct payment transactions has been the use of near field communication (NFC) technology to securely transmit payment information to a nearby contactless point-of-sale terminal. In order to achieve this, mobile phones with secure element hardware (e.g., a Secure Element chip) are used to securely store payment account credentials, such as credit card credentials.
[0004] However, not all mobile devices have secure elements.
Furthermore, some issuers may not have access to a secure element on a mobile device, even if the mobile device has one available. As a result, a consumer who has a NFC-capable mobile device may not be able to use their device to conduct payment transactions if their mobile device lacks a secure element, and even in some cases where their mobile device has a secure element.
[0005] Thus, there is a need for a technical solution to enable a mobile device lacking a secure element to conduct contactless payment
transactions.
SUMMARY
[0006] The present disclosure provides a description of a systems and methods for the provisioning of payment credentials to mobile devices lacking secure elements for use in mobile payment transactions.
[0007] A method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: generating, by a
processing device, a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier; provisioning, to a mobile device, the generated card profile; receiving, from the mobile device, a key request, wherein the key request includes at least a mobile
identification number (PIN) and the profile identifier; using, by an
authentication device, the mobile PIN; generating, by the processing device, a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and transmitting, by a transmitting device, the generated single use key to the mobile device, wherein the mobile device is not required to have a secure element.
[0008] A method for generating a payment cryptogram in a mobile device lacking a secure element includes: receiving, by a receiving device, a card profile, wherein the card profile includes at least payment credentials corresponding to a payment account and a profile identifier; receiving, by an input device, a mobile personal identification number (PIN) input by a user of the mobile device; transmitting, by a transmitting device, a key request, wherein the key request includes at least the profile identifier; receiving, by the receiving device, a single use key, wherein the single use key includes at least an application transaction counter and a generating key; generating, by a processing device, a payment cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN; and transmitting, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
[0009] Another method for generating and provisioning payment credentials to a mobile device lacking a secure element includes: storing, in a database, at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program; provisioning, to the mobile device, at least the storage key, an authentication component, and static payment credentials, wherein the static payment credentials are associated with a payment account;
receiving, from a mobile device, a chip authentication program (CAP) token; validating, by a validation device, the authenticity of the received CAP token; generating, by a processing device, a session key unpredictable number (KSUN); generating, by the processing device, a cloud unpredictable number (UNCLOUD); identifying, by the processing device, an encrypted payload based on a derived dynamic card validation code key (KDCvc3), wherein the encrypted payload includes at least a dynamic card validation code key of the plurality of dynamic card validation code keys, the KSUN, and the application transaction counter; transmitting, by a transmitting device, the encrypted payload to the mobile device for use in generating a dynamic card validation code for use in a financial transaction; and transmitting, by the transmitting device, at least the KSUN, UNCLOUD, and application transaction counter to an issuer associated with the payment account for use in validating the generated dynamic card validation code used in the financial transaction.
[0010] A method for generating a dynamic card validation code in a mobile device lacking a secure element includes: receiving, by a receiving device, at least a storage key, an authentication component, and static payment credentials; receiving, by an input device, at least one additional credential; generating, by a processing device, a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential; transmitting, by a transmitting device, the generated CAP token; receiving, by the receiving device, an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter; decrypting, by the processing device, the encrypted payload using at least the received storage key;
receiving, via near field communication, a reader unpredictable number from a point-of-sale terminal; generating, by the processing device, a payment dynamic card validation code based on at least the supplied dynamic card validation code, the session key unpredictable number, the application transaction counter, and the reader unpredictable number; and transmitting, via near field communication, the generated payment dynamic card validation code and the application transaction counter to the point-of-sale terminal for including in an authorization request for a financial transaction. [0011] A system for generating and provisioning payment credentials to a mobile device lacking a secure element includes a transmitting device, a processing device, a provisioning device, a receiving device, and an authentication device. The processing device is configured to generate a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier. The provisioning device is configured to provision, to a mobile device lacking a secure element, the generated card profile. The receiving device is configured to receive, from the mobile device, a key request, wherein the key request includes at least a mobile identification number (PIN) and the profile identifier. The
authentication device is configured to use the mobile PIN. The processing device is further configured to generate a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction. The transmitting device is configured to transmit the generated single use key to the mobile device.
[0012] A system for generating a payment cryptogram in a mobile device lacking a secure element includes a processing device, a receiving device, an input device, and a transmitting device. The receiving device is
configured to receive a card profile, wherein the card profile includes at least payment credentials corresponding to a payment account and a profile identifier. The input device is configured to receive a mobile personal identification number (PIN) input by a user of the mobile device. The transmitting device is configured to transmit a key request, wherein the key request includes at least the profile identifier. The receiving device is further configured to receive a single use key, wherein the single use key includes at least an application transaction counter and a generating key. The processing device is configured to generate a payment cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN. The transmitting device is further configured to transmit, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
[0013] Another system for generating and provisioning payment
credentials to a mobile device lacking a secure element includes a database, a provisioning device, a receiving device, a processing device, and a transmitting device. The database is configured to store at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program. The provisioning device is configured to provision, to the mobile device, at least the storage key, an authentication component, and static payment
credentials, wherein the static payment credentials are associated with a payment account. The receiving device is configured to receive, from a mobile device, a chip authentication program (CAP) token. The processing device is configured to: validate the authenticity of the received CAP token; generate a session key unpredictable number (KSUN); generate a cloud unpredictable number (UNCLOUD); and identify an encrypted payload based on a derived dynamic card validation code key (KDCvc3), wherein the encrypted payload includes at least a dynamic card validation code key of the plurality of dynamic card validation code keys, the KSUN, and the application transaction counter. The transmitting device is configured to: transmit the encrypted payload to the mobile device for use in generating a dynamic card validation code for use in a financial transaction; and transmit at least the KSUN, UNCLOUD, and application transaction counter to an issuer associated with the payment account for use in validating the generated dynamic card validation code used in the financial transaction.
[0014] A system for generating a dynamic card validation code in a mobile device lacking a secure element includes a receiving device, an input device, a processing device, and a transmitting device. The receiving device is configured to receive at least a storage key, an authentication component, and static payment credentials. The input device is configured to receive at least one additional credential. The processing device is configured to generate a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential. The transmitting device is configured to transmit the generated CAP token. The receiving device is further configured to receive an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter. The processing device is further configured to decrypt the encrypted payload using at least the received storage key. The receiving device is further configured to receive, via near field communication, a reader unpredictable number from a point-of-sale terminal. The processing device is further configured to generate a payment dynamic card validation code based on at least the supplied dynamic card validation code, the session key unpredictable number, the application transaction counter, and the reader unpredictable number. The transmitting device is further configured to transmit, via near field communication, the generated payment dynamic card validation code and the application transaction counter to the point-of-sale terminal for including in an
authorization request for a financial transaction.
BRIEF DESCRIPTION OF THE DRAWING FIGURES
[0015] The scope of the present disclosure is best understood from the following detailed description of exemplary embodiments when read in conjunction with the accompanying drawings. Included in the drawings are the following figures:
[0016] FIG. 1 is a high level diagram illustrating a system for generating and provisioning payment credentials to a mobile device in accordance with exemplary embodiments.
[0017] FIG. 2 is a block diagram illustrating the payment token payload of the system of FIG. 1 in accordance with exemplary embodiments. [0018] FIG. 3 is a high level diagram illustrating an alternative system for provisioning payment credentials to a mobile device in accordance with exemplary embodiments.
[0019] FIG. 4 is a diagram illustrating a method for dual channel communication for use in the system of FIG. 1 in accordance with exemplary embodiments.
[0020] FIG. 5 is a flow chart illustrating the experience of a user of the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
[0021] FIG. 6 is a high level diagram illustrating methods for provisioning payment credentials to a mobile device and generating a payment cryptogram in accordance with exemplary embodiments.
[0022] FIG. 7 is a high level diagram illustrating methods for provisioning payment credentials to a mobile device and generating a dynamic card validation code in accordance with exemplary embodiments.
[0023] FIG. 8 is a flow diagram illustrating a method for registration of a mobile device for use in the system of FIG. 1 in accordance with exemplary embodiments.
[0024] FIG. 9 is a flow diagram illustrating a method for the initialization of a mobile application program on the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
[0025] FIG. 10 is a flow diagram illustrating a method for remote management of the mobile application program of the mobile device in accordance with exemplary embodiments.
[0026] FIG. 1 1 is a flow diagram illustrating a method for the delivery of a card profile to the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
[0027] FIG. 12 is a flow diagram illustrating a method for the delivery of a single use key to the mobile device of the system of FIG. 1 in accordance with exemplary embodiments. [0028] FIG. 13 is a flow diagram illustrating a method for managing the mobile application program following the update of a mobile personal identification number of the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
[0029] FIG. 14 is a flow diagram illustrating a method for conducting a payment transaction using the mobile device of the system of FIG. 1 in accordance with exemplary embodiments.
[0030] FIG. 15 is a flow chart illustrating an exemplary method for generating and provisioning payment credentials to a mobile device lacking a secure element in accordance with exemplary embodiments.
[0031] FIG. 16 is a flow chart illustrating an exemplary method for generating a payment cryptogram in a mobile device lacking a secure element in accordance with exemplary embodiments.
[0032] FIG. 17 is a flow chart illustrating an alternative method for generating and provisioning payment credentials to a mobile device lacking a secure element in accordance with exemplary embodiments.
[0033] FIG. 18 is a flow chart illustrating an exemplary method for generating a dynamic card validation code in a mobile device lacking a secure element in accordance with exemplary embodiments.
[0034] FIG. 19 is a block diagram illustrating a computer system
architecture in accordance with exemplary embodiments.
[0035] Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter. It should be understood that the detailed description of exemplary embodiments are intended for illustration purposes only and are, therefore, not intended to necessarily limit the scope of the disclosure.
DETAILED DESCRIPTION
Definition of Terms
[0036] Payment Network - A system or network used for the transfer of money via the use of cash-substitutes. Payment networks may use a variety of different protocols and procedures in order to process the transfer of money for various types of transactions. Transactions that may be performed via a payment network may include product or service purchases, credit purchases, debit transactions, fund transfers, account withdrawals, etc. Payment networks may be configured to perform transactions via cash- substitutes, which may include payment cards, letters of credit, checks, financial accounts, etc. Examples of networks or systems configured to perform as payment networks include those operated by MasterCard®, VISA®, Discover®, American Express®, etc.
[0037] Payment Account - A financial account that may be used to fund a transaction, such as a checking account, savings account, credit account, virtual payment account, etc. A payment account may be associated with an entity, which may include a person, family, company, corporation,
governmental entity, etc. In some instances, a payment account may be virtual, such as those accounts operated by PayPal®, etc.
[0038] Payment Card - A card or data associated with a payment account that may be provided to a merchant in order to fund a financial transaction via the associated payment account. Payment cards may include credit cards, debit cards, charge cards, stored-value cards, prepaid cards, fleet cards, virtual payment numbers, virtual card numbers, controlled payment numbers, etc. A payment card may be a physical card that may be provided to a merchant, or may be data representing the associated payment account (e.g., as stored in a communication device, such as a smart phone or computer). For example, in some instances, data including a payment account number may be considered a payment card for the processing of a transaction funded by the associated payment account. In some instances, a check may be considered a payment card where applicable. System for Generating and Provisioning Payment Credentials
[0039] FIG. 1 is a diagram illustrating a system 100 for the generating and provisioning of payment credentials to a mobile device lacking a secure element.
[0040] The system 100 may include a user 102. The user 102 may possess a mobile device 104. The mobile device 104 may be any type of mobile computing device suitable for performing the functions as disclosed herein, such as a cellular phone, smart phone, tablet computer, personal digital assistant, etc. In an exemplary embodiment, the mobile device 104 may not include a secure element.
[0041] The mobile device 104 may include a mobile payment application 106, which may be an application program stored in data storage of the mobile device 104 and executed by a processor included in the mobile device 104. The mobile payment application 106 may be configured to receive and store payment credentials and conduct payment transactions via near field communication without the use of a secure element, as discussed in more detail herein.
[0042] The user 102 may have a payment account with an issuer 108, such as a credit card account. The user 102 may desire to use their mobile device 104 to conduct payment transactions using their payment account with the issuer 108 for funding of the transactions. Payment credentials corresponding to the payment account may be stored by a remote-SE (remote-secure element) system 1 10 for provisioning to the mobile device 104. The remote-SE system 1 10 may include at least a payment credentials management service 1 12 and a remote notification server 1 14, each of which are discussed in more detail below.
[0043] The remote-SE system 1 10 may build a payment token payload in order to provision the payment credentials to the mobile device 104 for use in a payment transaction. The payment token payload (PTP) may be a container used to carry payment credentials from the remote-SE system 100 to the mobile payment application 106 in the mobile device 104. The payment token payload may include a card profile 1 16 and a single use key 1 18, discussed in more detail below. The card profile 1 16 may include the payment credentials, and the single use key 1 18 may be a single use (e.g., one-time use) key used to generate a payment cryptogram valid for a single payment transaction. In some embodiments, the remote-SE system 1 10 and the mobile device 104 may communicate using dual channel communication, discussed in more detail below.
[0044] The mobile device 104 may be further configured to transmit a generated payment cryptogram and payment credentials to a point-of-sale terminal 120 at a merchant. The point-of-sale terminal 120 may be any type of point-of-sale terminal or device suitable for receiving payment credentials via near field communication (NFC). Suitable methods and protocols for the secure transmission of information via NFC will be apparent to persons having skill in the relevant art. The point-of-sale terminal 120 may transmit the received payment credentials and other transaction information (e.g., transaction amount, product details, etc.) to an acquirer 122, such as an acquiring bank.
[0045] The acquirer 122 may submit an authorization request for the payment transaction to a payment network 124. The payment network 124 may be configured to process the authorization request, such as by querying the issuer 108 for approval of the payment transaction (e.g., based on funds or credits in the payment account). The payment network 124 may then submit an authorization response to the acquirer 122 and/or the merchant, who may then finalize the payment transaction with the user 102. Methods and systems suitable for the processing of a financial transaction will be apparent to persons having skill in the relevant art.
[0046] The system 100 and the use of the payment token payload may enable the user 102 to use the mobile device 104 to conduct NFC payment transactions without the use of a secure element. Payment Token Payload
[0047] FIG. 2 is a diagram illustrating the payment token payload provisioned to the mobile device 104 in additional detail.
[0048] As discussed above, the payment token payload may include the card profile 1 16 and the single use key 1 18. The card profile 1 16 may include payment credentials provisioned to the mobile payment application 106 by the remote-SE system for use in conducting payment transactions. The payment credentials included in the card profile 116 may include common payment credentials 202, magnetic stripe (mag stripe) payment credentials 204, and m/chip payment credentials 206.
[0049] The common payment credentials 202 may include all data elements common to any type of payment transactions, such as both mag stripe and m/chip payment transactions. Such data elements may include payment account number, tracking data, and card layout description data. The mag stripe payment credentials 204 may include data elements specific to mag stripe transactions, such as the number of digits in an application transaction counter and a bitmap for an unpredictable number and the application transaction counter. The m/chip payment credentials 206 may include data elements specific to m/chip payment transactions, such as issuer action codes, risk management data, and offline data authentication object lists. In some embodiments, the mag stripe payment credentials 204 may be mandatory in the card profile 1 16 and the m/chip payment credentials 206 may be optional.
[0050] The single use key 1 18 may be a payment token used one time to generate a payment cryptogram to be used in a payment transaction. The single use key may include an application transaction counter (ATC) and a generating key 208. The application transaction counter may be a count of transactions used for fraud management and authentication as will be apparent to persons having skill in the relevant art. The generating key 208 may be a key used to generate a payment cryptogram used in a financial transaction. In one embodiment, the generating key 208 may generate a dynamic card validation code (CVC3) or an application cryptogram (AC). In a further embodiment, the application cryptogram may be optional.
[0051] The single use key 1 18 may also include an identifier used to identify the card profile 1 16 to which it corresponds to. In some
embodiments, the single use key 1 18 may be protected based on a mobile personal identification number (PIN) value. In such an embodiment, the user 102 may provide a mobile PIN for authentication. If the mobile PIN provided is incorrect, an incorrect value of the single use key may be used by the mobile payment application 06. In such an instance, the issuer 108 will not authorize the payment transaction. Such an embodiment may result in additional security for the user 102, the issuer 108, and the merchant involved in the payment transaction.
Alternative System for Generating and Provisioning Payment Credentials
[0052] FIG. 3 illustrates an alternative system 300 for generating and provisioning payment credentials to the mobile device 104 lacking a secure element.
[0053] In the system 300, the mobile device 104 may include the mobile payment application 106. The mobile device 104 may also include storage 304, such as a database. The remote-SE system 1 10 may include a cloud system 302. The cloud system 302 may store keys, payment credentials, and an application transaction counter, which may be provisioned from the cloud system 302 to the mobile device 104 and stored in the storage 304.
[0054] The mobile device 104 may generate a chip authentication program (CAP) token. The generation and use of CAP tokens will be apparent to persons having skill in the relevant art. The mobile device 104 may transmit the generated CAP token to the cloud system 302. The cloud system 302 may then authenticate (e.g., validate) the CAP token, such as by using a CAP token validation system as will be apparent to persons having skill in the relevant art. The cloud system 302 may then generate unpredictable numbers, and may generate an encrypted payload including a derived dynamic card validation code key (KDCvc3) and the generated unpredictable number. The cloud system 302 may also transmit at least some of the information to the issuer 108. The issuer 108 may store the received information in an issuer database 310.
[0055] The encrypted payload may be transmitted to the mobile device 104, which may decrypt the payload and then generate a dynamic card validation code based on the information included in the encrypted payload and stored payment credentials. The user 102 may shop at a merchant 306, and, when goods or services have been selected for purchase, may transmit the payment credentials and dynamic card validation code from the mobile device 104 to the point-of-sale terminal 120. The point-of-sale terminal 120 may transmit the information and relevant transaction information to the acquirer 122.
[0056] An acquirer processing server 312 may receive the information at the acquirer 122 and may generate and submit an authorization request for the financial transaction including the payment credentials and dynamic card validation code to the payment network 124. The payment network 124 may forward relevant information to the issuer 108 for authorization of the transaction for a specific transaction amount. The issuer 108 may include an issuer processing server 308. The issuer processing server 308 may authenticate the dynamic card validation code based on the information stored in the issuer database 310 and received from the cloud system 302. The issuer 108 may then, based on the authentication, approve or deny the payment transaction.
[0057] The issuer 108 may submit a response to the payment network 124, which may then submit an authorization response to the acquirer 122. The acquirer may inform the merchant 306 of the results of the authorization, who may then finalize the transaction with the cardholder 102. Methods for provisioning payment credentials to the mobile device 104 and for
processing a payment transaction via the mobile device 104 are discussed in more detail below. Dual Channel Communication
[0058] FIG. 4 illustrates a method for dual channel communication for use in the system 100 of FIG. 1 for communication between the mobile device 104 and the remote-SE system 1 10. Dual channel communication may enable the mobile device 104 and the remote-SE system 110 to
communicate using multiple protocols, which may allow for faster and/or more secure transmissions between the two systems.
[0059] Dual channel communication may include using remote notification 402 as a first channel, and mutual authentication 404 as a second channel. Remote notification 402 may be performed between the remote notification service 1 14 and the mobile device 104. In some embodiments, the payment credentials management service 1 12 may generate information, such as the single use key 1 18, to be provided to the mobile payment application 106. The payment credentials management service 1 12 may generate a message including the single use key encrypted with a random key to be provided and may encrypt the message using the mobile key.
[0060] The remote notification service 1 14 may then transmit the message to the mobile device 104 using remote notification. The mobile device 104 may provide the message to the mobile payment application 106, which may then decrypt the message using the shared mobile key, and then may decrypt the encrypted single use key with the random key, and thus use the single use key in a payment transaction. Methods for transmission of message using remote notification will be apparent to persons having skill in the relevant art.
[0061] Mutual authentication 404 may be used in instances where additional security may be desired, such as in forming an initial connection between the mobile device 104 and the remote-SE system 1 10. The mutual authentication 404 may use SSL/TLS communication to authenticate the remote-SE system 1 10 to the mobile device 104, and may use an
authentication code, discussed in more detail below, to authenticate the mobile device 104 to the remote-SE system 1 10. In such an instance, the authentication of both systems to the other provides the mutual
authentication and additional security.
[0062] SSL TLS communication is a standard method of communication as will be apparent to persons having skill in the relevant art. The
authentication code may be a hash computed over a set of data known by both the remote-SE system 1 10 and the mobile device 104. For example, the authentication code may be computed over a unique identifier defined by the remote-SE system 1 10 to uniquely identify the mobile device 104, which may be provided to the mobile payment application 106 during initialization, discussed in more detail below. In an exemplary embodiment, the
authentication code may be based on, in part, a session identifier. The session identifier may be transmitted from the remote-SE system 1 10 to the mobile device 104 using remote notification 402. In a further embodiment, the session identifier may be encrypted (e.g., using the mobile key). In such an embodiment, the mobile key may be used to decrypt the session identifier to be used to build the authentication code to be used for the mutual authentication 404.
[0063] The mobile device 104 and the remote-SE system 1 10 may both include the mobile key to be used as a shared key for the encrypting and decrypting of messages transmitted via remote notification. The mobile payment application 106 may also include a local storage encryption key.
The local storage encryption key may be generated by the mobile payment application 106 and used to provide the storage 304 as an encrypted local database. The storage 304 may then store the shared mobile key, received payment credentials, and any additional information in the mobile device 104 to prevent unauthorized access.
Initialization and Use of the Mobile Payment Application
[0064] FIG. 5 illustrates a method 500 for the initialization and use of the mobile payment application 106 in the mobile device 104. [0065] In step 502, the user 102 may register with the remote-SE system 1 10 to use the mobile device 104 for contactless payment transactions. The user 102 may register with the remote-SE system 1 10 using the mobile device 104 or another computing device, such as a desktop computer.
Registration may be performed via a web browser, application program, or any other suitable method as will be apparent to persons having skill in the relevant art. As part of the registration, the user 102 may provide account information for the payment account with which the user 102 wants to use for payment transactions using the mobile device 104. The user 102 may receive an activation code and may also identify and/or receive a unique identifier used to identify the user 102.
[0066] In step 504, the user 102 may install the mobile payment
application 106 on the mobile device 104. Methods for installing application programs on a mobile device will be apparent to persons having skill in the relevant art and may include using a web browser or application program on the mobile device 104 to identify and download the mobile payment application 106. It will also be apparent to persons having skill in the relevant art that step 504 may be performed before or concurrently with step 502.
[0067] In step 506, the user 102 may initialize/activate the mobile payment application 106. The user 102 may enter the activation code received in step 502 into the mobile payment application 106. The mobile payment application 106 may then communicate with the remote-SE system 1 10 and may receive the shared mobile key. The mobile payment application 106 may also generate the local storage encryption key and encrypt the storage 304 to create the local encrypted database.
[0068] In step 508, the remote-SE system 1 10 may transmit the card profile 1 16 to the mobile device 104. In one embodiment, the mobile device 104 may receive a remote notification message to notify the user 102 that the mobile payment application 106 must connect with the remote-SE system 1 10 using mutual authentication 404. Once connected, the remote- SE system 1 10 may then transmit the card profile including payment credentials for the account specified by the user 102 in step 502, which may then be stored by the mobile payment application 106 in the local encrypted database 304.
[0069] In step 510, the remote-SE system 1 10 may transmit a single use key 1 18 to the mobile payment application 106. In some embodiments, the transmission may be performed using mutual authentication 404 in the same process performed in step 510. In some embodiments, steps 508 and 510 may be combined in a single step, such that the remote-SE system may transmit both the card profile 1 16 and a single use key 1 18 to the mobile payment application 106 in a single or consecutive transactions.
[0070] In step 512, the mobile device 104 may conduct a contactless/NFC payment transaction using the mobile payment application 106 and the single use key 1 18. The mobile payment application 106 may generate a payment cryptogram, discussed in more detail below, and may transmit the generated cryptogram and payment credentials to a point-of-sale terminal 120. Methods for transmitting payment credentials and a payment cryptogram to a point-of-sale terminal 120 via NFC will be apparent to persons having skill in the relevant art.
[0071] In step 514, the mobile payment application 106 may identify if there are any single use keys 1 18 available for use in subsequent payment transactions. If there are additional keys 1 18 available for use, then the method 500 may return to step 512 where additional payment transactions may be conducted with the remaining single use key(s) 1 18. If there are no single use keys 1 18 remaining, then, the method 500 may return to step 510 where connection may be made with the remote-SE system 1 10 and a new single use key 1 18 provisioned to the mobile device 104. Method for Provisioning Payment Credentials and Generating a Payment Cryptogram
[0072] FIG. 6 illustrates a more detailed version of the system 100 and illustrates the process by which payment credentials may be generated and provisioned to the mobile device 104 and the mobile device 104 used to conduct a contactless payment transaction without the use of a secure element.
[0073] The user 102 may register with the remote-SE system 110. The remote-SE system 1 10 may store the user registration information (e.g., payment account information) in a database 602 and may return an activation code to the user 102. The user 102 may then install the mobile payment application 106 on the mobile device 104 and activate the mobile payment application 106 using the activation code. As part of the activation, the remote-SE system 1 10 may transmit a shared mobile key 604 to the mobile payment application 106. The mobile payment application 106 may also generate a local storage encryption key and may encrypt the storage 304 on the mobile device 104. The mobile key 604 may be stored in the local encrypted database 304.
[0074] The payment credentials management servicel 12 may store the shared mobile key 604 in the database 602. The payment credentials management service 1 12 may also identify payment credentials
corresponding to the payment account indicated by the user, and build the card profile 1 16 including the payment credentials. The remote notification service 1 14 may transmit a remote notification to the mobile device 104 to indicate to the user 102 that the card profile 1 16 is ready to be downloaded to the mobile payment application 106. The mobile payment application 106 may then communicate with the payment credentials management service 1 12 using mutual authentication and receive the card profile 116 from the remote-SE system. The mobile payment application 106 may then store the received card profile 1 16 in the local encrypted database 304. [0075] The payment credentials management service 1 12 may also generate a single use key 1 18 including a generating key. In some embodiments, the single use key 1 18 may be generated in response to the receipt of a key request from the mobile device 104. In a further
embodiment, the key request may include a mobile PIN. The payment credentials management service 1 12 may have previously stored the mobile PIN (e.g., as set by the user 102) in the database 602.
[0076] The payment credentials management service 1 12 may then transmit the generated single use key 1 18 to the mobile device 104, which may then store the single use key 1 18 in the local encrypted database 304. In some instances, the single use key 118 may be incorrect (e.g., fake, not genuine, etc.) if the key request includes a mobile PIN for which
authentication is unsuccessful. In some embodiments the key may have been combined with the PIN such that when used it is incorrect without any explicit authentication step. In some embodiments, the card profile 1 16 and/or the single use key 1 18 may be encrypted by the payment credentials management service 1 12 prior to transmission to the mobile device 104, such as by using the mobile key 604. The mobile payment application 106 may then decrypt the received message, also using the shared mobile key 604, or, in some embodiments, a random key.
[0077] Once the mobile payment application 106 includes both the card profile 1 16 and the single use key 1 18, the user 102 may shop at a merchant 306 and select goods or services for purchase. The user 102 may then input to the mobile payment application 106 that a payment transaction is to be conducted. The mobile payment application 106 may then generate a payment cryptogram using the generating key included in the single use key 1 18. The payment cryptogram may be, for example, an application cryptogram or a dynamic card validation code (CVC3). The mobile payment application 106 may transmit the payment cryptogram to the merchant point- of-sale terminal 120. [0078] The merchant point-of-sale terminal 120 may transmit the received payment information and any additional transaction information (e.g., transaction amount, merchant identifier, etc.) to the acquirer processing server 312 of the acquirer 122. The acquirer processing server 312 may then generate and submit an authorization request for the financial transaction to the payment network 124. The payment network 124 may transmit relevant transaction data, such as the payment information and transaction amount, to the issuer processing server 308. The issuer processing server 308 may then validate the application cryptogram. If the validation is successful, the issuer may approve the payment transaction for the transaction amount (e.g., based on an available amount, credit, etc. for the payment account). If the validation is unsuccessful, the issuer may deny the payment transaction. Methods for validating a cryptogram will be apparent to persons having skill in the relevant art.
[0079] In some embodiments, the remote-SE system 1 10 may transmit information to the issuer 108 for storage in the issuer database 310, such as for fraud management. Such information will be apparent to persons having skill in the relevant art and may include, for example, application transaction counters. Methods suitable for performing the functions as disclosed herein are discussed in more detail below with respect to the flow diagrams illustrated in FIGS. 8-14.
Alternative Method for Provisioning Payment Credentials and Generating a Payment Cryptogram
[0080] FIG. 7 illustrates a more detailed version of the alternative system 300 and illustrates the process by which payment credentials may be generated and provisioned to the mobile device 104 and the mobile device 104 used to conduct a contactless payment transaction without the use of a secure element.
[0081] The user 102 may install the mobile application program 106 on the mobile device 104. Prior to the beginning of the process, at stage A, the mobile application program 106 may store authentication keys and credentials in the storage 304 as received from the remote-SE system 1 10. At stage B, a storage key (KSTO AGE) may be stored in the storage 304 as well. At stage C, additional information, including static payment credentials, may be stored in the storage 304.
[0082] At stage 1 , the user 102 may launch the mobile payment application 106 using the mobile device 104. At stage 2a, the mobile payment application 106 may connect with the remote-SE system 1 10 via the cloud system 302, such as by using SSL authentication or any other suitable method for authenticated transmission. The cloud system 302 may transmit payment credentials to the mobile payment application 106, which may then be stored in the storage 304. At stage 2b, the mobile payment application 106 may generate a CAP token used for authentication. In some
embodiments, the user 102 may supply additional authentication credentials, such as a gesture, a password, or a biometric identifier.
[0083] In stage 3, the mobile payment application 106 may transmit the generated CAP token to the remote-SE system 100. At stage 4, the CAP token may be forward to a CAP token validation service (CTVS) 702. At stage 5, the CTVS 702 may validate the CAP token using methods apparent to persons having skill in the relevant art. At stage 6, the results of the validation may be sent to the payment credentials management system 704. In some embodiments, the payment credentials management system 704 may be operated by or on behalf of the issuer 108.
[0084] At stage 7, the payment credentials management system 704 may generate an encrypted payload. As part of the encrypted payload, the payment credentials management system 704 may generate a session key unpredictable number (KSUN), a cloud unpredictable number (UNCLOUD), and may identify and/or store a plurality of dynamic card validation code (CVC3) keys and the KSTORAGE. Methods and systems for the generation of unpredictable numbers will be apparent to persons having skilled in the relevant art. The encrypted payload may include at least one CVC3 key, the KSUN, and the application transaction counter and may be generated using a derived CVC3 key (KDCvc3)- In one embodiment, the KDCvc3 used may be fake if the CAP token validation is unsuccessful. The payload may be encrypted using the KSTORAGE- [0085] At stage 8a, the payment credentials management system 704 may perform a synchronization process with the issuer 108. The synchronization process may include defining rules for the validity of the values generated by the mobile payment application 106 for conducting a payment transaction. In one embodiment, the process may include transmitting at least the KSUN, application transaction counter, and UNCLOUD to the issuer 108 for storage in the issuer database 310.
[0086] At stage 8b, the encrypted payload may be transmitted to the cloud system 302 for transmitting to the mobile payment application 106 in stage 9. At stage 10, the encrypted payload may be decrypted using the KSTORAGE and stored in the storage 304. At stage 11 , the user 102 may shop at the merchant 306 and select goods or services for purchase. As part of the purchase, at stage 12, the mobile payment application 106 may generate a payment CVC3 value. In one embodiment, the mobile device 104 may communicate with the point-of-sale terminal 120. The point-of-sale terminal 120 may generate a reader unpredictable number (UNREADER) and transmit the UNREADER to the mobile payment application 106, which may then generate the payment CVC3 value using the information in the encrypted payload and the UNREADER- The generated payment CVC3 value and the application transaction counter may be transmitted to the point-of-sale terminal 120 via NFC.
[0087] In some embodiments, the user 102 may be required to enter a PIN at the point-of-sale terminal 120 for additional authentication at stage 13. At stage 14, the point-of-sale terminal 120 may execute standard NFC payment transaction processes as will be apparent to persons having skill in the relevant art. At stage 15, the point-of-sale terminal 120 may generate an authorization request for the payment transaction, which may include the UNREADER, the generated CVC3 value, the application transaction counter, and, if applicable, the PI N value input by the user 102. At stage 16, the acquirer processing server 312 may translate the PI N included in the authorization request using methods apparent to persons having skill in the relevant art. It will be further apparent that stage 16 may be optional.
[0088] At stage 17, the authorization request may be forwarded to the payment network 124, which may forward the authorization request and/or information included in the authorization request to the issuer 08. At optional stage 18, the issuer may verify the translated PI N. At stage 19a, the issuer 108 may identify if additional processing is necessary and may, if necessary, retrieve the values stored in the issuer database 310. At stage 19b, the issuer processing server 308 may validate the payment CVC3 value using at least the UNREADER, UNQLOUD, and application transaction counter. Methods for validating a CVC3 will be apparent to persons having skill in the relevant art. At stage 20, the issuer 108 may submit a response based on the validation, and the method may proceed accordingly as in traditional payment transactions.
Method for Registration of a User for Remote Payment Transactions
[0089] FIG. 8 is a flow diagram illustrating a method for the user 102 to register with the remote-SE system 1 10 to enable a payment account for remote payment transactions using a mobile device 104 lacking a secure element.
[0090] At step 806, the user 102 may access the registration system of the remote-SE system 110. The user 102 may access the system via a web browser 804, which may be executed on a computing device. In one embodiment, the computing device may be the mobile device 104. The user 102 may navigate to a webpage hosted by or on behalf of the remote-SE system 1 10. At step 808, the user 102 may register with the payment credentials management service 1 12 via the browser 804. As part of the registration, the user 102 may provide account details for a payment account, and the payment credentials management service 1 12 may ensure the payment account is eligible for remote payment transactions.
[0091] At step 810, the payment credentials management service 1 12 may create a user profile for the user 102 in the remote-SE system 1 10. In some embodiments, a user profile may also be created in the issuer system 108. As part of the creation of the user profile, the payment credentials management service 1 12 may generate and/or identify an activation code. At step 812, the user registration may be completed and the activation code transmitted back to the 102 via the browser 804. At step 814, the payment credentials management service 1 12 may synchronize information (e.g., the user profile, activation code status, etc.) with the issuer 108 for fraud management. It will be apparent to persons having skill in the relevant art that step 814 may be optional.
[0092] At step 816, the user 102 may receive the activation code via the web browser 804. At step 818, the user 102 may download the mobile payment application 106 to the mobile device 104. In one embodiment, the user 102 may utilize an app store 802, such as the Apple® App Store, to download the mobile payment application 106. The mobile payment application 106 may be validated and installed on the mobile device at step 820 using methods and systems apparent to persons having skill in the relevant art. At step 822, the mobile payment application 106 may be successfully installed on the mobile device 104 and may await initialization.
Method for Initialization of the Mobile Payment Application
[0093] FIG. 9 is a flow diagram illustrating a method for initialization of the mobile payment application 106 on the mobile device 104 for use in contactless payment transactions.
[0094] At step 902, the user may start (e.g., execute) the mobile payment application on the mobile device 104. At step 904, the mobile payment application 106 may perform an integrity check. As part of the integrity check, the mobile payment application 106 may authenticate the user 102 and request the activation code provided to the user 102 during the registration process (e.g., at step 812 in FIG. 8). At step 906, the mobile payment application 106 may generate a unique identifier and additional values and keys, such as a local database storage key (e.g., mobile storage key).
[0095] At step 908, the mobile payment application 106 may connect to the payment credentials management service 1 12 using mutual authentication. The mobile payment application 106 may transmit the activation code and any other additional user authentication information (e.g., a user identifier, a password, etc.) as a method of authentication. The mobile payment application 106 may also transmit the generated unique identifier. In some embodiments, the user 102 may also provide a mobile PIN to be transmitted to the payment credentials management service 1 12 as part of step 908.
[0096] At step 910, the payment credentials management service 1 12 may validate the mobile payment application 106 using the provided
authentication information and may, if validated, update the user profile to include the unique identifier. At step 912, the payment credentials
management service 112 may also register the mobile device 104 with the remote notification service 1 14 using the unique identifier. At step 914, the payment credentials management service 1 12 may generate the shared mobile key 604 and may store the shared mobile key 604 in the user profile. At optional step 916, the payment credentials management service 1 12 may synchronize with the issuer 108 for fraud management.
[0097] At step 918, the mobile payment application 106 may receive the shared mobile key 604 from the payment credentials management service 1 12 and may store the mobile key 604 in the encrypted local storage 304. At step 920, the mobile payment application 106 may wipe the mobile storage key, such that the encrypted local storage 304 may not be access without authorization. The mobile payment application 106 may store data with which the mobile storage key is generated separate from the encrypted local storage 304 for use in regenerating the mobile storage key for access to the encrypted local storage 304. At step 922, the mobile payment application 106 may be ready for remote management by the payment credentials management service 112. In some embodiments, the mobile payment application 106 may notify the user 102 when initialization is completed.
Method for Remote Management of the Mobile Payment Application
[0098] FIG. 10 is a flow diagram illustrating a method for remote
management of the mobile payment application 106 of the mobile device 104 via the payment credentials management service 1 12.
[0099] In step 1002, the payment credentials management service 1 12 may receive a trigger to start the remote management of the mobile payment application 106. In some embodiments, the trigger may be received from the payment credentials management service 1 12 itself based on predefined rules. In another embodiment, the trigger may be received from the issuer 108. In step 1004, the payment credentials management service 1 12 may prepare data for remote notification. The preparation of data may include the building of a notification based on a function to be performed, such as the provisioning of the card profile 1 16, provisioning of a single use key 1 18, changing of the mobile PIN, etc. An exemplary method for provisioning of the card profile 1 16 to the mobile device 104 is discussed in more detail below with reference to FIG. 1 1.
[00100] The payment credentials management service 1 12 may build a message including the notification and a session identifier, and then may encrypt the message using the mobile key 604. The payment credentials management service 1 12 may also identify the mobile device 104 for receipt using the unique identifier in the user profile. In embodiments where step 1004 may include the provisioning of the single use key 1 18, the single use key 1 18 may be encrypted using a random key (e.g., or suitable key other than the mobile key 604), and then the encrypted single use key may be encrypted using the mobile 604 and provisioned to the mobile payment application 106 similar to the encryption and transmission of the message as disclosed herein.
[00101] In step 1006, the payment credentials management service 1 12 may transmit the encrypted message to the mobile payment application 106 using remote notification 402. As discussed above, remote notification 402 may include the forwarding of the encrypted message to the remote notification service 1 14, which may transmit the encrypted message to the mobile device 104 using remote notification, which may then make the encrypted message available to the mobile payment application 106. In step 1008, the mobile payment application 106 may receive the encrypted message.
[00102] In step 1010, the user 102 may start the mobile payment application 106. It will be apparent to persons having skill in the relevant art that step 1010 may be optional (e.g., the mobile payment application 106 may start upon receipt of the encrypted message, the mobile payment application 106 may always run in the background, etc.). In step 1012, the mobile payment application 106 may start, which may include regenerating the mobile storage key, retrieving the mobile key 406 from the local encrypted storage 304, and decrypting the message using the retrieved mobile key 406.
[00103] In step 1014, the mobile payment application 106 may connect to the payment credentials management service 1 12 using mutual
authentication 404 as discussed above, such as by generating, transmitting, and then wiping an authentication code including the session identifier. At step 1016, the payment credentials management service 1 12 may validate the authentication credentials transmitted by the mobile payment application 106. If validated, the payment credentials management service 1 12 may then have a secure connection with the mobile payment application 106 and may proceed with the function indicated in the notification. Method for Provisioning of a Card Profile to the Mobile Payment Application
[00104] FIG. 1 1 is a flow diagram illustrating a method for provisioning the card profile 1 16 to the mobile payment application 106 of the mobile device 104 by the payment credentials management service 1 12.
[00105] Utilizing the connection made upon the triggering of remote management illustrated in FIG. 10, at step 1102 the payment credentials management service 12 may build the payment token payload card profile 1 16. The card profile 1 16 may include payment credentials for the payment account indicated by the user 102 during registration, which may have been stored in the user profile. The payment credentials management service 1 12 may build the card profile by generating a message including the payment credentials, generating a mobile session key, and encrypting the message using the mobile session key. The payment credentials management service 1 12 may store the card profile 1 16 in the user profile and, in step 1 104, may transmit the message including the card profile 116 to the mobile payment application 106.
[00106] In step 1 106, the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message. At step 1 108, the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message. Once validated, at step 1 1 10 the mobile payment application 106 may build a receipt message indicating successful receipt and validation of the card profile 1 16, and may be used as an activation message and/or used to carry information from the mobile payment application 106 to the remote- SE system 1 10. The receipt message may be encrypted using the mobile session key. The mobile payment application 106 may also update a status to indicate that the card profile 1 16 is successfully received and stored.
[00107] In step 11 12, the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated. Upon successful validation, in step 1 1 14 the payment credentials management service 1 12 may activate the card profile 1 16 and may update the user profile accordingly. In step 1 1 16, the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the card profile 1 16 has been activated and may wipe the mobile session key. In step 11 18, the payment credentials management service 1 12 may synchronize the user profile indicating activation of the card profile 116 with the issuer 108 for fraud management.
[00108] In step 1 120, the mobile payment application 106 may analyze the return code indicating activation of the card profile 1 16. In step 1122, the mobile payment application 106 may wipe the mobile session key, and in step 1 124 may be ready to receive single use keys 1 18 for use in conducting payment transactions. In some embodiments, the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that single use keys 1 18 may be received.
Method for Provisioning Single Use Keys to the Mobile Payment Application
[00109] FIG. 12 is a flow diagram illustrating a method for the provisioning of single use keys 1 18 to the mobile payment application 106 in the mobile device 104 by the payment credentials management service 1 2 for use in payment transactions.
[00110] In an exemplary embodiment, while performing the connection with the payment credentials management service 1 12 made upon the triggering of remote management illustrated in FIG. 10, the encrypted single use key 118, may be previously transmitted to the mobile payment application 106 in a message encrypted by the mobile key 604. At step 1202, the payment credentials management service 1 12 may build a message with an action to activate (e.g., decrypt) the previously provisioned single use key 1 18, the message including the random key used to encrypt the single use key 1 18. The payment credentials management service 1 12 may then generate a mobile session key and then may encrypt the message including the random key using the mobile session key. The payment credentials management service 1 12 may then, in step 1204, transmit the message including the random key to the mobile payment application 106.
[00111] In step 1206, the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message. At step 208, the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message. The mobile payment application 106 may also decrypt the single use key 1 18 using the random key included in the decrypted message, and may validate the decrypted single use key 1 18. Once validated, at step 1210 the mobile payment application 106 may build a receipt message indicating successful receipt and validation of the single use key 1 18. The receipt message may be encrypted using the mobile session key. The mobile payment application 106 may also update a status to indicate that the single use key 1 18 is successfully received and stored and that the mobile payment application 106 is ready to conduct a payment transaction.
[00112] In step 1212, the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated. Upon successful validation, in step 1214 the payment credentials management service 1 12 may activate the single use key 1 18 and may update the user profile accordingly. In step 1216, the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the single use key 1 18 has been activated and may wipe the mobile session key. In step 1218, the payment credentials management service 1 12 may synchronize the user profile indicating activation of the single use key 1 18 with the issuer 108 for fraud management.
[00113] In step 1220, the mobile payment application 106 may analyze the return code indicating activation of the single use key 1 18. In step 1222, the mobile payment application 106 may wipe the mobile session key, and in step 1224 may be ready to conduct a contactless payment transaction. In some embodiments, the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that the mobile payment application 106 is ready to conduct a contactless payment transaction. Method for Modification of Mobile PIN in the Mobile Payment Application
[00114] FIG. 13 is a flow diagram illustrating a method for the management of a change in the mobile PIN of the user 102 in the mobile payment application 106 by the payment credentials management service 1 12.
[00115] Utilizing the connection made upon the triggering of remote management illustrated in FIG. 10, at step 1302 the payment credentials management service 1 12 may build a remote management action indicating a change to the mobile PIN and removal of all stored single use keys 1 18. The payment credentials management service 1 12 may build a message including the remote management action, generate a mobile session key, and encrypt the message using the mobile session key. The payment credentials management service 1 12 may, in step 1304, transmit the message including remote management action to the mobile payment application 106.
[00116] In step 1306, the mobile payment application 106 may receive the message and may generate the mobile session key used for decrypting the message. At step 1308, the mobile payment application 106 may decrypt the message using the generated mobile session key and may validate the message. Once the message has been validated, the mobile payment application may update the card profile 1 16 accordingly and may remove any available single use keys 1 18 from the encrypted local storage 304. Then, at step 1310, the mobile payment application 106 may build a receipt message indicating successful receipt and execution of the remote management action. The receipt message may be encrypted using the mobile session key.
[00117] In step 1312, the receipt message may be received by the payment credentials management service 1 12 and may be decrypted using the mobile session key and validated. Upon successful validation, in step 1314 the payment credentials management service 1 12 may update the user profile accordingly. In step 1316, the payment credentials management service 1 12 may transmit a notification to the mobile payment application 106 that the user profile has been updated and no single use keys 118 have been issued, and may wipe the mobile session key. In step 1318, the payment credentials management service 1 12 may synchronize the user profile indicating the change to the mobile PIN and wiping of single use keys 1 18 with the issuer 108 for fraud management.
[00118] In step 1320, the mobile payment application 106 may analyze the return code. In step 1322, the mobile payment application 106 may wipe the mobile session key, and in step 1324 may be ready to receive single use keys 1 18 for use in conducting payment transactions. In some
embodiments, the mobile payment application 106 may display a notification to the user 102 via a user interface to indicate that single use keys 1 18 may be received.
Method for Conducting a Payment Transaction Using the Mobile Payment Application
[00119] FIG. 14 is a flow diagram illustrating a method for conducting a contactless payment transaction using the mobile payment application 106 on the mobile device 104 using the card profile 1 16 and single use key 1 18 provisioned by the payment credentials management service 1 12.
[00120] In step 1402, the user 102 may start the mobile payment application 106 on the mobile device 104. In step 1404, the mobile payment application 106 may prepare for payment. To prepare for payment, the mobile payment application 106 may regenerate the mobile storage key and may retrieve the payment credentials and generating key from the card profile 1 16 and the single use key 1 18 in the encrypted local storage 304. The generating key may be used by the mobile payment application 106 to generate a payment cryptogram for use in the payment transaction. The mobile payment application 106 may also indicate to the user 102 that the application is ready for payment.
[00121] In step 1406, a NFC payment method may be executed between the user 102, the mobile device 104, the mobile payment application 106, and the point-of-sale terminal 120. Methods for executing transmission of payment credentials from a mobile device to a point-of-sale terminal will be apparent to persons having skill in the relevant art.
[00122] In step 1408, the point-of-sale terminal 120 at the merchant 306 may provide transaction data to the acquirer 122 including the payment credentials and payment cryptogram. In step 1410, the acquirer 122 may submit an authorization request including the transaction data to the payment network 124. In step 1412, the payment network 124 may seek authorization from the issuer 108 for the payment transaction and may forward relevant information to the issuer 108. In step 1414, the issuer 108 may validate the payment cryptogram using methods that will be apparent to persons having skill in the relevant art. The issuer 108 may, once the payment cryptogram is validated, approve or deny the payment transaction (e.g., based on a transaction amount and available credit in the payment account for the user 102) and notify the payment network 124. At step 1416, the payment network 124 may submit an authorization response to the acquirer 122, which may then forward the response to the merchant 306 and/or point-of-sale terminal 120 at step 1418. At step 1420, the merchant may finalize the payment transaction, such as by providing the transacted goods or services to the user 102 or by providing a receipt to the user 102.
[00123] Once the payment transaction has been completed, the mobile payment application 106 may, at step 1422, update the payment token payload stored in the encrypted local storage 304 based on the outcome of the payment transaction. At step 1424, the mobile payment application 106 may wipe the mobile storage key, and at step 1426, may indicate (e.g., to the user 102) that the mobile payment application 106 is ready for another contactless payment transaction (e.g., if additional single use keys 1 18 are available) or to receive single use keys 1 18.
[00124] In some embodiments, the payment transaction may be conducted via the use of local data authentication (LDA). In some instances, the storage of payment credentials received by the mobile device 104 in the encrypted local storage 304 (e.g., and not in a Secure Element) may be such that CDA (combined dynamic data authentication/application cryptogram generation) may be unavailable to support traditional card verification methods to verify the payment credentials used in the financial transaction. As a result, the point-of-sale terminal 120 may be configured such that it may require authentication by the user 102 at both the mobile device 104 (e.g., entering of the mobile PIN) and the point-of-sale terminal 120 (e.g., entering of an online PIN or signature).
[00 25] LDA may be used in order to provide card authentication support such that a financial transaction may be supported by the point-of-sale terminal 120 utilizing a single point of authentication (e.g., the mobile PIN). In order to perform LDA, the card profile 1 16 may further include one RSA key pair and certificate. The performing of the LDA may include the swapping of the meaning of the effective date and the expiration date in the payment credentials included in the card profile 1 16, and the setting of at least one issuer action code to force the payment transaction to be an online transaction. In a further embodiment, the expiration date may be set as a date prior to the date of issuance, or the effective date may be set as a date beyond the expiry date, or both may be set as defined. This may result in the point-of-sale terminal 120 declining the transaction due to the expiration and/or effective dates, but transmitting the transaction for online
authorization, which may result in processing of the transaction using the single point of authentication by the user 102. In a further embodiment, the expiration date may be set as a previous date, or the effective date may be set as a future date, or both may be set as defined. In some embodiments, performing LDA may further include setting an issuer action code configured to decline offline transactions (e.g., such that if the point-of-sale terminal 120 is an offline-only terminal it may decline all such transactions).
[00126] It is noted that, although the method illustrated in FIG. 14 and described above is a method for conducting a contactless payment transaction, such a method may also be used for conducting a remote payment transaction, for the secure transmission of payment credentials, for use as part of an authentication solution (whether part of a transaction or otherwise), or in other applications as will be apparent to persons having skill in the relevant art and not limited to those illustrated herein.
Exemplary Method for Generating and Provisioning Payment Credentials
[00127] FIG. 15 is a flow chart illustrating a method 1500 for generating and provisioning payment credentials to a mobile device lacking a secure element.
[00128] At step 1502, a card profile (e.g., the card profile 1 16) associated with a payment account may be generated by a processing device (e.g., of the payment credentials management service 1 12), wherein the card profile 1 16 includes at least payment credentials corresponding to the associated payment account and a profile identifier. At step 1504, the generated card profile 1 16 may be provisioned to a mobile device (e.g., the mobile device 104) lacking a secure element. In one embodiment, provisioning the card profile 1 16 may include building a message including the generated card profile 1 16, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device 104.
[00129] At step 1506, a key request may be received from the mobile device 104, wherein the key request includes at least a mobile personal identification number (PIN) and the profile identifier. At step 1508, an authentication device (e.g., of the payment credentials management service 1 12) may use the mobile PIN. In one embodiment, the authentication device may use the mobile PIN using an XOR method. At step 1510, a single use key (e.g., the single use key 1 18) may be generated by the processing device, wherein the single use key 1 18 includes at least the profile identifier, an application transaction counter, and a generating key for use in
generating a payment cryptogram valid for a single financial transaction. In some embodiments, the single use key 1 18 may be genuine if the mobile PIN is successfully authenticated in step 1508, and fake if the mobile PIN is unsuccessfully authenticated. In one embodiment, the method 1500 may further include transmitting the generated single use key 1 18 to an issuer associated with the payment account. In some embodiments, the generated single use key 1 18 may be inactive.
[00130] At step 1512, the generated single use key 1 18 may be transmitted, by a transmitting device, to the mobile device 104. In one embodiment, transmitting the generated single use key 1 18 may include building a message including the generated single use key 1 18, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device 104.
[00131] In embodiments where the generated single use key 18 may be inactive, the method 1500 may further include receiving, from the mobile device 104, and indication of use of the single use key 1 18 and activating, by the processing device, the generated single use key 1 18. In a further embodiment, the method 1500 may also include transmitting, by the transmitting device, an indication of activation of the single use key 1 18 to an issuer (e.g., the issuer 108) associated with the payment account. Method for Generating a Payment Cryptogram
[00132] FIG. 16 is a flow chart illustrating a method 1600 for generating a payment cryptogram in a mobile device (e.g., the mobile device 104) lacking a secure element.
[00133] In step 1602, a card profile (e.g., the card profile 1 16) may be received by a receiving device (e.g., in the mobile device 104), wherein the card profile 1 16 includes at least payment credentials corresponding to a payment account and a profile identifier. In one embodiment, receiving the card profile 1 16 may include receiving an encrypted message including the card profile 1 16, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included card profile 1 16. In some embodiments, the card profile 1 16 may be configured to utilize local data authentication, wherein the local data authentication includes swapping, in the payment credentials, the meaning of an expiration date and an effective date, and setting an issuer action code configured to force the financial transaction to be an online transaction. In a further embodiment, the expiration date may be set as a date prior to the date of issuance, or the effective date may be set as a date beyond the expiry date, or both may be set as defined. In a further embodiment, the card profile 1 16 may further include one RSA key pair and certificate.
[00134] In step 1604, an input device (e.g., of the mobile device 104, such as a touch screen) may receive a mobile personal identification number (PIN) input by a user (e.g., the user 102) of the mobile device 104. In step 1606, a transmitting device may transmit a key request, wherein the key request includes at least the profile identifier.
[00135] In step 1608, a single use key (e.g., the single use key 1 18) may be received, by the receiving device, wherein the single use key 1 18 includes at least an application transaction counter and a generating key. In one embodiment, receiving the single use key 1 18 may include receiving an encrypted message including the single use key 1 18, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included single use key 1 18.
[00136] In step 1610, a payment cryptogram valid for a single payment transaction may be generated, by a processing device, based on at least the received single use key 108 and the mobile PIN. In some embodiments, the payment cryptogram may be an application cryptogram or a dynamic card validation code. In step 1612, at least the payment credentials and the generated payment cryptogram may be transmitted, via near field communication, to a point-of-sale terminal (e.g., the point-of-sale terminal 120) for use in a financial transaction.
[00137] In some embodiments, the method 1600 may further include receiving, by the input device, an indication of use of the received single use key 1 18, transmitting, by the transmitting device, an activation request including at least the profile identifier, and receiving, by the receiving device, an indication of activation of the single use key 1 18. In a further
embodiment, the payment credentials and generated payment cryptogram may be transmitted to the point-of-sale terminal 120 in response to receiving the indication of activation of the single use key 1 18. In an alternative further embodiment, the payment cryptogram may be generated in response to receiving the indication of activation of the single use key 118.
Alternative Method for Generating and Provisioning Payment Details
[00138] FIG. 17 is a flow chart illustrating an alternative method 1700 for generating and provisioning payment details to a mobile device (e.g., the mobile device 104) lacking a secure element.
[00139] In step 1702, at least a storage key, a plurality of dynamic card validation code (CVC3) keys, and an application transaction counter associated with a mobile application program (e.g., the mobile payment application 106) may be stored in a database (e.g., the storage 304). In step 1 04, at least the storage key, an authentication component, and static payment credentials may be provisioned to the mobile device 104, wherein the static payment credentials are associated with a payment account.
[00140] In step 1706, a chip authentication program (CAP) token may be received from the mobile device 104. In step 1708, the authenticity of the received CAP token may be validated by a validation service (e.g., the CTVS 702). In one embodiment, the CAP token may be validated based on at least the provisioned authentication component and an additional credential received from the mobile device 104. In a further embodiment, the additional credential may be at least one of: a gesture, a password, a passcode, and a biometric identifier. In another embodiment, validating the authenticity of the CAP token may include validating the authenticity of the CAP token based on at least the application transaction counter.
[00141] In step 1710, a session key unpredictable number (KSUN) may be generated by a processing device (e.g., the cloud system 302). In step 1712, a cloud unpredictable number (UNCLOUD) may be generated by the processing device 302. In step 1714, the processing device 302 may identify an encrypted payload based on a derived CVC3 key (KDCvc3), wherein the encrypted payload includes at least a CVC3 key of the plurality of CVC3 keys, the KSUN, and the application transaction counter. In one embodiment, the KDCvc3 may be genuine if the received CAP token is successfully validated, and may be fake if the received CAP token is unsuccessfully validated. In some embodiment, the payload may be encrypted using at least the storage key.
[00142] In step 1716, a transmitting device may transmit the encrypted payload to the mobile device 104 for use in generating a CVC3 value for use in a financial transaction. In step 1718, the transmitting device may transmit at least the KSUN, UNCLOUD, and application transaction counter to an issuer (e.g., the issuer 108) associated with the payment account for use in validating the generated CVC3 value used in the financial transaction.
Method for Generating a Dynamic Card Validation Code
[00143] FIG. 18 is a flow chart illustrating a method 1800 for generating a dynamic card validation code (CVC3) value in a mobile device (e.g., the mobile device 104) lacking a secure element.
[00144] In step 1802, at least a storage key, an authentication component, and static payment credentials may be received by a receiving device. In step 1804, at least one additional credential may be received by an input device (e.g., of the mobile device 104). In some embodiments, the at least one additional credential may include at least one of: a gesture, a password, a passcode, and a biometric identifier. In step 1806, a chip authentication program (CAP) token may be generated by a processing device, wherein the CAP token is based on at least the authentication component and the at least one additional credential.
[00145] In step 1808 the generated CAP token may be transmitted by a transmitting device. In step 1810, an encrypted payload may be received by the receiving device, wherein the encrypted payload includes at least a supplied CVC3 value, session key unpredictable number, and an application transaction counter. In step 1812, the processing device may decrypt the encrypted payload using at least the received storage key.
[00146] In step 1814, a reader unpredictable number may be received, via near field communication, from a point-of-sale terminal (e.g., the point-of- sale terminal 120). In step 1816, the processing device may generate a payment CVC3 value based on at least the supplied CVC3 value, the session key unpredictable number, the application transaction counter, and the reader unpredictable number. In step 1818, the generated payment CVC3 value and the application transaction counter may be transmitted, via near field communication, to the point-of-sale terminal 120 for including in an authorization request in a financial transaction. Computer System Architecture
[00147] FIG. 19 illustrates a computer system 1900 in which embodiments of the present disclosure, or portions thereof, may be implemented as computer-readable code. For example, the payment credentials
management 1 12, the remote notification service 1 14, the mobile device 104, the acquirer processing server 312, and the issuer processing server 308 may be implemented in the computer system 1900 using hardware, software, firmware, non-transitory computer readable media having instructions stored thereon, or a combination thereof and may be
implemented in one or more computer systems or other processing systems. Hardware, software, or any combination thereof may embody modules and components used to implement the methods of FIGS. 6-18. [00148] If programmable logic is used, such logic may execute on a commercially available processing platform or a special purpose device. A person having ordinary skill in the art may appreciate that embodiments of the disclosed subject matter can be practiced with various computer system configurations, including multi-core multiprocessor systems, minicomputers, mainframe computers, computers linked or clustered with distributed functions, as well as pervasive or miniature computers that may be embedded into virtually any device. For instance, at least one processor device and a memory may be used to implement the above described embodiments.
[00149] A processor device as discussed herein may be a single processor, a plurality of processors, or combinations thereof. Processor devices may have one or more processor "cores." The terms "computer program medium," "non-transitory computer readable medium," and "computer usable medium" as discussed herein are used to generally refer to tangible media such as a removable storage unit 1918, a removable storage unit 1922, and a hard disk installed in hard disk drive 1912.
[00150] Various embodiments of the present disclosure are described in terms of this example computer system 1900. After reading this description, it will become apparent to a person skilled in the relevant art how to implement the present disclosure using other computer systems and/or computer architectures. Although operations may be described as a sequential process, some of the operations may in fact be performed in parallel, concurrently, and/or in a distributed environment, and with program code stored locally or remotely for access by single or multi-processor machines. In addition, in some embodiments the order of operations may be rearranged without departing from the spirit of the disclosed subject matter.
[00151] Processor device 1904 may be a special purpose or a general purpose processor device. The processor device 1904 may be connected to a communication infrastructure 1906, such as a bus, message queue, network, multi-core message-passing scheme, etc. The network may be any network suitable for performing the functions as disclosed herein and may include a local area network (LAN), a wide area network (WAN), a wireless network (e.g., WiFi), a mobile communication network, a satellite network, the Internet, fiber optic, coaxial cable, infrared, radio frequency (RF), or any combination thereof. Other suitable network types and configurations will be apparent to persons having skill in the relevant art. The computer system 1900 may also include a main memory 1908 (e.g., random access memory, read-only memory, etc.), and may also include a secondary memory 910. The secondary memory 1910 may include the hard disk drive 1912 and a removable storage drive 1914, such as a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, etc.
[00152] The removable storage drive 1914 may read from and/or write to the removable storage unit 1918 in a well-known manner. The removable storage unit 1918 may include a removable storage media that may be read by and written to by the removable storage drive 1914. For example, if the removable storage drive 1914 is a floppy disk drive, the removable storage unit 1918 may be a floppy disk. In one embodiment, the removable storage unit 1918 may be non-transitory computer readable recording media.
[00153] In some embodiments, the secondary memory 1910 may include alternative means for allowing computer programs or other instructions to be loaded into the computer system 1900, for example, the removable storage unit 1922 and an interface 1920. Examples of such means may include a program cartridge and cartridge interface (e.g., as found in video game systems), a removable memory chip (e.g., EEPROM, PROM, etc.) and associated socket, and other removable storage units 1922 and interfaces 1920 as will be apparent to persons having skill in the relevant art.
[00154] Data stored in the computer system 1900 (e.g., in the main memory 1908 and/or the secondary memory 1910) may be stored on any type of suitable computer readable media, such as optical storage (e.g., a compact disc, digital versatile disc, Blu-ray disc, etc.) or magnetic tape storage (e.g., a hard disk drive). The data may be configured in any type of suitable database configuration, such as a relational database, a structured query language (SQL) database, a distributed database, an object database, etc. Suitable configurations and storage types will be apparent to persons having skill in the relevant art.
[00155] The computer system 1900 may also include a communications interface 1924. The communications interface 1924 may be configured to allow software and data to be transferred between the computer system 1900 and external devices. Exemplary communications interfaces 1924 may include a modem, a network interface (e.g., an Ethernet card), a
communications port, a PCMCIA slot and card, etc. Software and data transferred via the communications interface 1924 may be in the form of signals, which may be electronic, electromagnetic, optical, or other signals as will be apparent to persons having skill in the relevant art. The signals may travel via a communications path 1926, which may be configured to carry the signals and may be implemented using wire, cable, fiber optics, a phone line, a cellular phone link, a radio frequency link, etc.
[00156] Computer program medium and computer usable medium may refer to memories, such as the main memory 1908 and secondary memory 1910, which may be memory semiconductors (e.g. DRAMs, etc.). These computer program products may be means for providing software to the computer system 1900. Computer programs (e.g., computer control logic) may be stored in the main memory 1908 and/or the secondary memory 1910. Computer programs may also be received via the communications interface 1924. Such computer programs, when executed, may enable computer system 1900 to implement the present methods as discussed herein. In particular, the computer programs, when executed, may enable processor device 1904 to implement the methods illustrated by FIGS. 6-18, as discussed herein. Accordingly, such computer programs may represent controllers of the computer system 1900. Where the present disclosure is implemented using software, the software may be stored in a computer program product and loaded into the computer system 1900 using the removable storage drive 1914, interface 1920, and hard disk drive 1912, or communications interface 1924.
[00157] Techniques consistent with the present disclosure provide, among other features, systems and methods for the provisioning of payment credentials to mobile devices lacking a secure element and the generation of payment cryptograms based thereon. While various exemplary
embodiments of the disclosed system and method have been described above it should be understood that they have been presented for purposes of example only, not limitations. It is not exhaustive and does not limit the disclosure to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practicing of the disclosure, without departing from the breadth or scope.

Claims

WHAT IS CLAIMED IS:
1 . A method for generating and provisioning payment credentials to a mobile device lacking a secure element, comprising:
generating, by a processing device, a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier;
provisioning, to a mobile device, the generated card profile;
receiving, from the mobile device, a key request, wherein the key request includes at least a mobile personal identification number (PIN) and the profile identifier;
using, by an authentication device, the mobile PIN;
generating, by the processing device, a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction; and
transmitting, by a transmitting device, the generated single use key to the mobile device, wherein the mobile device is not required to have a secure element.
2. The method of claim 1 , wherein
the single use key is genuine if the mobile PIN is successfully authenticated, and
the single use key is fake if the mobile PIN is unsuccessfully authenticated.
3. The method of claim 1 , further comprising:
transmitting, by the transmitting device, the generated single use key to an issuer associated with the payment account.
4. The method of claim 1 , wherein provisioning the generated card profile to the mobile device may include building a message including the generated card profile, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device.
5. The method of claim 1 , wherein transmitting the generated single use key to the mobile device may include building a message including the generated single use key, generating an encryption key, encrypting the message using the generated encryption key, and
provisioning the encrypted message to the mobile device.
6. The method of claim 1 , wherein the generated single use key is inactive.
7. The method of claim 6, further comprising:
receiving, from the mobile device, an indication of use of the single use key; and
activating, by the processing device, the generated single use key.
8. The method of claim 7, further comprising:
transmitting, by the transmitting device, an indication of activation of the single use key to an issuer associated with the payment account.
9. The method of claim 1 , wherein the payment cryptogram is an application cryptogram or a dynamic card validation code.
10. The method of claim 1 , wherein using the mobile PIN includes using, by the authentication device, the mobile PIN using an XOR method.
1 1. A method for generating a payment cryptogram in a mobile device lacking a secure element, comprising:
receiving, by a receiving device, a card profile, wherein the card profile includes at least payment credentials corresponding to a payment account and a profile identifier;
receiving, by an input device, a mobile personal identification number (PIN) input by a user of the mobile device;
transmitting, by a transmitting device, a key request, wherein the key request includes at least the profile identifier;
receiving, by the receiving device, a single use key, wherein the single use key includes at least an application transaction counter and a generating key;
generating, by a processing device, a payment cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN; and
transmitting, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
12. The method of claim 1 1 , wherein the payment cryptogram is an application cryptogram or a dynamic card validation code.
13. The method of claim 1 1 , wherein receiving the card profile may include receiving an encrypted message including the card profile, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included card profile.
14. The method of claim 1 1 , wherein receiving the single use key may include receiving an encrypted message including the single use key, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included single use key.
15. The method of claim 1 1 , further comprising:
receiving, by the input device, an indication of use of the received single use key;
transmitting, by the transmitting device, an activation request, wherein the activation request includes at least the profile identifier; and
receiving, by the receiving device, an indication of activation of the single use key.
16. The method of claim 15, wherein the payment credentials and generated payment cryptogram are transmitted to the point-of-sale terminal in response to receiving the indication of activation of the single use key.
17. The method of claim 15, wherein the payment cryptogram is generated in response to receiving the indication of activation of the single use key.
18. The method of claim 1 1 , wherein
the card profile is configured to utilize local data authentication, and local data authentication includes one of (1) swapping, in the payment credentials, the meaning of an expiration date and an effective date, (2) setting the expiration date as a date prior to the date of issuance, or (3) setting the effective date as a date beyond the expiry date, or both may be set as the expiration date and effective date as defined, and setting an issuer action code configured to force the financial transaction to be an online transaction.
19. The method of claim 18, wherein the card profile further includes one RSA key pair and certificate.
20. A method for generating and provisioning payment credentials to a mobile device lacking a secure element, comprising:
storing, in a database, at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program;
provisioning, to the mobile device, at least the storage key, an authentication component, and static payment credentials, wherein the static payment credentials are associated with a payment account;
receiving, from the mobile device, a chip authentication program (CAP) token;
validating, by a validation device, the authenticity of the received CAP token;
generating, by a processing device, a session key unpredictable number (KSUN);
generating, by the processing device, a cloud unpredictable number
(UNCLOUD);
identifying, by the processing device, an encrypted payload based on a derived dynamic card validation code key (KDCvc3), wherein the encrypted payload includes at least a dynamic card validation code key of the plurality of dynamic card validation code keys, the KSUN, and the application transaction counter;
transmitting, by a transmitting device, the encrypted payload to the mobile device for use in generating a dynamic card validation code for use in a financial transaction; and
transmitting, by the transmitting device, at least the KSUN, UNCLOUD, and application transaction counter to an issuer associated with the payment account for use in validating the generated dynamic card validation code used in the financial transaction.
21. The method of claim 20, wherein
the KDcvc3 is genuine if the received CAP token is successfully validated, and
the KDcvc3 is fake if the received CAP token is unsuccessfully validated.
22. The method of claim 20, wherein validating the authenticity of the CAP token includes validating the authenticity of the CAP token based on at least the provisioned authentication component and an additional credential received from the mobile device.
23. The method of claim 22, wherein the additional credential is at least one of: a gesture, a password, a passcode, and a biometric identifier.
24. The method of claim 20, wherein validating the authenticity of the CAP token includes validating the authenticity of the CAP token based on at least the application transaction counter.
25. The method of claim 20, wherein the encrypted payload is encrypted using at least the storage key.
26. A method for generating a dynamic card validation code in a mobile device lacking a secure element, comprising:
receiving, by a receiving device, at least a storage key, an
authentication component, and static payment credentials;
receiving, by an input device, at least one additional credential;
generating, by a processing device, a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential;
transmitting, by a transmitting device, the generated CAP token; receiving, by the receiving device, an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter; decrypting, by the processing device, the encrypted payload using at least the received storage key;
receiving, via near field communication, a reader unpredictable number from a point-of-sale terminal;
generating, by the processing device, a payment dynamic card validation code based on at least the supplied dynamic card validation code, the session key unpredictable number, the application transaction counter, and the reader unpredictable number; and
transmitting, via near field communication, the generated payment dynamic card validation code and the application transaction counter to the point-of-sale terminal for including in an authorization request for a financial transaction.
27. The method of claim 26, wherein the at least one additional credential is at least one of: a gesture, a password, a passcode, and a biometric identifier.
28. A system for generating and provisioning payment credentials to a mobile device lacking a secure element, comprising:
a transmitting device;
a processing device configured to generate a card profile associated with a payment account, wherein the card profile includes at least payment credentials corresponding to the associated payment account and a profile identifier;
a provisioning device configured to provision, to a mobile device lacking a secure element, the generated card profile; a receiving device configured to receive, from the mobile device, a key request, wherein the key request includes at least a mobile personal identification number (PIN) and the profile identifier; and
an authentication device configured to use the mobile PIN, wherein the processing device is further configured to generate a single use key, wherein the single use key includes at least the profile identifier, an application transaction counter, and a generating key for use in generating a payment cryptogram valid for a single financial transaction, and
the transmitting device is configured to transmit the generated single use key to the mobile device.
29. The system of claim 28, wherein
the single use key is genuine if the mobile PIN is successfully authenticated, and
the single use key is fake if the mobile PIN is unsuccessfully authenticated.
30. The system of claim 28, wherein the transmitting device is further configured to transmit the generated single use key to an issuer associated with the payment account.
31. The system of claim 28, wherein the authentication device is further configured to use the mobile PIN using an XOR method.
32. The system of claim 28, wherein provisioning the generated card profile to the mobile device may include building a message including the generated card profile, generating an encryption key, encrypting the message using the generated encryption key, and provisioning the encrypted message to the mobile device.
33. The system of claim 28, wherein transmitting the generated single use key to the mobile device may include building a message including the generated single use key, generating an encryption key, encrypting the message using the generated encryption key, and
provisioning the encrypted message to the mobile device.
34. The system of claim 28, wherein the generated single use key is inactive.
35. The system of claim 34, wherein
the receiving device is further configured to receive, from the mobile device, an indication of use of the single use key, and
the processing device is further configured to activate the generated single use key.
36. The system of claim 35, wherein the transmitting device is further configured to transmit an indication of activation of the single use key to an issuer associated with the payment account.
37. The system of claim 28, wherein the payment cryptogram is an application cryptogram or a dynamic card validation code.
38. A system for generating a payment cryptogram in a mobile device lacking a secure element, comprising:
a processing device;
a receiving device configured to receive a card profile, wherein the card profile includes at least payment credentials corresponding to a payment account and a profile identifier;
an input device configured to receive a mobile personal identification number (PIN) input by a user of the mobile device; and a transmitting device configured to transmit a key request, wherein the key request includes at least the profile identifier, wherein
the receiving device is further configured to receive a single use key, wherein the single use key includes at least an application transaction counter and a generating key,
the processing device is configured to generate a payment
cryptogram valid for a single financial transaction based on at least the received single use key and the mobile PIN, and
the transmitting device is further configured to transmit, via near field communication, at least the payment credentials and the generated payment cryptogram to a point-of-sale terminal for use in a financial transaction.
39. The system of claim 38, wherein the payment cryptogram is an application cryptogram or a dynamic card validation code.
40. The system of claim 38, wherein receiving the card profile may include receiving an encrypted message including the card profile, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included card profile.
41. The system of claim 38, wherein receiving the single use key may include receiving an encrypted message including the single use key, generating a mobile session key, and decrypting the message using the generated mobile session key to obtain the included single use key.
42. The system of claim 38, wherein
the input device is further configured to receive indication of use of the received single use key,
the transmitting device is further configured to transmit an activation request, wherein the activation request includes at least the profile identifier, and the receiving device is further configured to receive an indication of activation of the single use key.
43. The system of claim 42, wherein the transmitting device is configured to transmit the payment credentials and the generated payment cryptogram in response to the receipt of the indication of activation of the single use key.
44. The system of claim 42, wherein the processing device is configured to generate the payment cryptogram in response to the receipt of the indication of activation of the single use key.
45. The system of claim 38, wherein
the card profile is configured to utilize local data authentication, and local data authentication includes one of (1) swapping, in the payment credentials, the meaning of an expiration date and an effective date, (2) setting the expiration date as a date prior to the date of issuance, or (3) setting the effective date as a date beyond the expiry date, or both may be set as the expiration date and effective date as defined,, and setting an issuer action code configured to force the financial transaction to be an online transaction.
46. The system of claim 45, wherein the card profile further includes one RSA key pair and certificate.
47. A system for generating and provisioning payment credentials to a mobile device lacking a secure element, comprising:
a database configured to store at least a storage key, a plurality of dynamic card validation code keys, and an application transaction counter associated with a mobile application program; a provisioning device configured to provision, to the mobile device, at least the storage key, an authentication component, and static payment credentials, wherein the static payment credentials are associated with a payment account;
a receiving device configured to receive, from the mobile device, a chip authentication program (CAP) token generated based on at least the static payment credentials;
a processing device configured to
validate the authenticity of the received CAP token, generate a session key unpredictable number (KSUN), generate a cloud unpredictable number (UNQLOUD), and identify an encrypted payload based on a derived dynamic card validation code key (KDCvc3), wherein the encrypted payload includes at least a dynamic card validation code key of the plurality of dynamic card validation code keys, the KSUN, and the application transaction counter; and a transmitting device configured to
transmit the encrypted payload to the mobile device for use in generating a dynamic card validation code for use in a financial transaction, and
transmit at least the KSUN, UNCLOUD, and application transaction counter to an issuer associated with the payment account for use in validating the generated dynamic card validation code used in the financial transaction.
48. The system of claim 47, wherein
the KDcvc3 is genuine if the received CAP token is successfully validated, and
the KDcvc3 is fake if the received CAP token is unsuccessfully validated.
49. The system of claim 47, wherein the processing device is configured to validate the authenticity of the CAP token based on at least the provisioned authentication component and an additional credential received from the mobile device.
50. The system of claim 49, wherein the additional credential is at least one of: a gesture, a password, a passcode, and a biometric identifier.
51 . The system of claim 47, wherein the processing device is configured to validate the authenticity of the CAP token based on at least the application transaction counter.
52. The system of claim 47, wherein the processing device is further configured to encrypt the encrypted payload using at least the storage key.
53. A system for generating a dynamic card validation code in a mobile device lacking a secure element, comprising:
a receiving device configured to receive at least a storage key, an authentication component, and static payment credentials;
an input device configured to receive at least one additional credential;
a processing device configured to generate a chip authentication program (CAP) token, wherein the CAP token is based on at least the authentication component and the at least one additional credential; and a transmitting device configured to transmit the generated CAP token, wherein
the receiving device is further configured to receive an encrypted payload, wherein the encrypted payload includes at least a supplied dynamic card validation code, session key unpredictable number, and application transaction counter, the processing device is further configured to decrypt the encrypted payload using at least the received storage key,
the receiving device is further configured to receive, via near field communication, a reader unpredictable number from a point-of-sale terminal, the processing device is further configured to generate a payment dynamic card validation code based on at least the supplied dynamic card validation code, the session key unpredictable number, the application transaction counter, and the reader unpredictable number, and
the transmitting device is further configured to transmit, via near field communication, the generated payment dynamic card validation code and the application transaction counter to the point-of-sale terminal for including in an authorization request for a financial transaction.
54. The system of claim 53, wherein the at least one additional credential is at least one of: a gesture, a password, a passcode, and a biometric identifier.
PCT/US2013/033322 2012-04-02 2013-03-21 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements WO2013151797A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP13772978.6A EP2835004B1 (en) 2012-04-02 2013-03-21 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements
EP19203530.1A EP3614712A1 (en) 2012-04-02 2013-03-21 Systems and methods for processing mobile payments by provisoning credentials to mobile devices without secure elements
AU2013243805A AU2013243805B2 (en) 2012-04-02 2013-03-21 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements
ES13772978T ES2761345T3 (en) 2012-04-02 2013-03-21 Systems and methods to process mobile payments by providing credentials to mobile devices without secure elements
HK15107229.1A HK1206900A1 (en) 2012-04-02 2015-07-28 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements
AU2017216488A AU2017216488B2 (en) 2012-04-02 2017-08-16 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
US201261619095P 2012-04-02 2012-04-02
US61/619,095 2012-04-02
US201261635248P 2012-04-18 2012-04-18
US61/635,248 2012-04-18
US201261735383P 2012-12-10 2012-12-10
US61/735,383 2012-12-10
US201361762098P 2013-02-07 2013-02-07
US61/762,098 2013-02-07
US13/827,042 2013-03-14
US13/827,042 US10515359B2 (en) 2012-04-02 2013-03-14 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements

Publications (1)

Publication Number Publication Date
WO2013151797A1 true WO2013151797A1 (en) 2013-10-10

Family

ID=49300946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/033322 WO2013151797A1 (en) 2012-04-02 2013-03-21 Systems and methods for processing mobile payments by provisioning credentials to mobile devices without secure elements

Country Status (6)

Country Link
US (3) US10515359B2 (en)
EP (2) EP2835004B1 (en)
AU (2) AU2013243805B2 (en)
ES (1) ES2761345T3 (en)
HK (1) HK1206900A1 (en)
WO (1) WO2013151797A1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2512944A (en) * 2013-04-12 2014-10-15 Mastercard International Inc Systems and methods for outputting information on a display of a mobile device
WO2015132244A1 (en) * 2014-03-03 2015-09-11 Mastercard International Incorporated Secure mobile device transactions
WO2015166421A1 (en) * 2014-04-30 2015-11-05 Visa International Service Association Systems, methods and devices for providing a single-use payment credential
US20160125417A1 (en) * 2014-02-21 2016-05-05 Samsung Pay, Inc. Terminal for magnetic secure transmission
US9530289B2 (en) 2013-07-11 2016-12-27 Scvngr, Inc. Payment processing with automatic no-touch mode selection
GB2544109A (en) * 2015-11-06 2017-05-10 Visa Europe Ltd Transaction authorisation
JP2017513248A (en) * 2014-04-14 2017-05-25 マスターカード インターナショナル インコーポレーテッド Method and system for generating an advanced storage key without a secure element in a mobile device
EP3364363A1 (en) * 2017-02-21 2018-08-22 Mastercard International Incorporated Transaction cryptogram
EP3326132A4 (en) * 2015-07-17 2019-01-16 Mastercard International Incorporated Authentication system and method for server-based payments
US10362010B2 (en) * 2014-05-29 2019-07-23 Apple Inc. Management of credentials on an electronic device using an online resource
EP3446436B1 (en) * 2016-04-18 2021-01-13 Orange Method for obtaining a security token by a mobile terminal
US10922598B2 (en) 2016-03-02 2021-02-16 Zwipe As Fingerprint authorisable device
US11361313B2 (en) 2013-12-02 2022-06-14 Mastercard International Incorporated Method and system for generating an advanced storage key in a mobile device without secure elements
US11481754B2 (en) 2012-07-13 2022-10-25 Scvngr, Inc. Secure payment method and system
US11605070B2 (en) 2013-07-29 2023-03-14 The Toronto-Dominion Bank Cloud-based electronic payment processing
US11842340B2 (en) 2014-10-21 2023-12-12 Mastercard International Incorporated Method and system for generating cryptograms for validation in a webservice environment

Families Citing this family (210)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140019352A1 (en) 2011-02-22 2014-01-16 Visa International Service Association Multi-purpose virtual card transaction apparatuses, methods and systems
US8762263B2 (en) 2005-09-06 2014-06-24 Visa U.S.A. Inc. System and method for secured account numbers in proximity devices
US9846866B2 (en) * 2007-02-22 2017-12-19 First Data Corporation Processing of financial transactions using debit networks
US7739169B2 (en) 2007-06-25 2010-06-15 Visa U.S.A. Inc. Restricting access to compromised account information
US8121956B2 (en) 2007-06-25 2012-02-21 Visa U.S.A. Inc. Cardless challenge systems and methods
US7937324B2 (en) 2007-09-13 2011-05-03 Visa U.S.A. Inc. Account permanence
US8219489B2 (en) 2008-07-29 2012-07-10 Visa U.S.A. Inc. Transaction processing using a global unique identifier
CA2742963A1 (en) 2008-11-06 2010-05-14 Visa International Service Association Online challenge-response
US9715681B2 (en) 2009-04-28 2017-07-25 Visa International Service Association Verification of portable consumer devices
US9038886B2 (en) 2009-05-15 2015-05-26 Visa International Service Association Verification of portable consumer devices
US7891560B2 (en) 2009-05-15 2011-02-22 Visa International Service Assocation Verification of portable consumer devices
US8534564B2 (en) 2009-05-15 2013-09-17 Ayman Hammad Integration of verification tokens with mobile communication devices
US10846683B2 (en) 2009-05-15 2020-11-24 Visa International Service Association Integration of verification tokens with mobile communication devices
US8893967B2 (en) 2009-05-15 2014-11-25 Visa International Service Association Secure Communication of payment information to merchants using a verification token
US9105027B2 (en) 2009-05-15 2015-08-11 Visa International Service Association Verification of portable consumer device for secure services
US8602293B2 (en) 2009-05-15 2013-12-10 Visa International Service Association Integration of verification tokens with portable computing devices
US10140598B2 (en) 2009-05-20 2018-11-27 Visa International Service Association Device including encrypted data for expiration date and verification value creation
US10255591B2 (en) 2009-12-18 2019-04-09 Visa International Service Association Payment channel returning limited use proxy dynamic value
CN102713922B (en) 2010-01-12 2015-11-25 维萨国际服务协会 For the method whenever confirmed to checking token
US9424413B2 (en) 2010-02-24 2016-08-23 Visa International Service Association Integration of payment capability into secure elements of computers
US10255601B2 (en) 2010-02-25 2019-04-09 Visa International Service Association Multifactor authentication using a directory server
US9245267B2 (en) 2010-03-03 2016-01-26 Visa International Service Association Portable account number for consumer payment account
US9342832B2 (en) 2010-08-12 2016-05-17 Visa International Service Association Securing external systems with account token substitution
BR112013021059A2 (en) 2011-02-16 2020-10-27 Visa International Service Association Snap mobile payment systems, methods and devices
US10586227B2 (en) 2011-02-16 2020-03-10 Visa International Service Association Snap mobile payment apparatuses, methods and systems
US10223691B2 (en) 2011-02-22 2019-03-05 Visa International Service Association Universal electronic payment apparatuses, methods and systems
GB201105765D0 (en) 2011-04-05 2011-05-18 Visa Europe Ltd Payment system
US9280765B2 (en) 2011-04-11 2016-03-08 Visa International Service Association Multiple tokenization for authentication
US9582598B2 (en) 2011-07-05 2017-02-28 Visa International Service Association Hybrid applications utilizing distributed models and views apparatuses, methods and systems
US9355393B2 (en) 2011-08-18 2016-05-31 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
WO2013006725A2 (en) 2011-07-05 2013-01-10 Visa International Service Association Electronic wallet checkout platform apparatuses, methods and systems
WO2013019567A2 (en) 2011-07-29 2013-02-07 Visa International Service Association Passing payment tokens through an hop/sop
US9710807B2 (en) 2011-08-18 2017-07-18 Visa International Service Association Third-party value added wallet features and interfaces apparatuses, methods and systems
US10242358B2 (en) 2011-08-18 2019-03-26 Visa International Service Association Remote decoupled application persistent state apparatuses, methods and systems
US10825001B2 (en) 2011-08-18 2020-11-03 Visa International Service Association Multi-directional wallet connector apparatuses, methods and systems
US9165294B2 (en) 2011-08-24 2015-10-20 Visa International Service Association Method for using barcodes and mobile devices to conduct payment transactions
AU2012301897B2 (en) * 2011-08-30 2017-04-13 Ov Loop Inc. Systems and methods for authorizing a transaction with an unexpected cryptogram
US10223730B2 (en) 2011-09-23 2019-03-05 Visa International Service Association E-wallet store injection search apparatuses, methods and systems
US10223710B2 (en) 2013-01-04 2019-03-05 Visa International Service Association Wearable intelligent vision device apparatuses, methods and systems
CN109508983A (en) 2012-01-05 2019-03-22 维萨国际服务协会 Data protection is carried out with conversion
WO2013113004A1 (en) 2012-01-26 2013-08-01 Visa International Service Association System and method of providing tokenization as a service
AU2013214801B2 (en) 2012-02-02 2018-06-21 Visa International Service Association Multi-source, multi-dimensional, cross-entity, multimedia database platform apparatuses, methods and systems
US10282724B2 (en) 2012-03-06 2019-05-07 Visa International Service Association Security system incorporating mobile device
WO2013166501A1 (en) 2012-05-04 2013-11-07 Visa International Service Association System and method for local data conversion
US9524501B2 (en) 2012-06-06 2016-12-20 Visa International Service Association Method and system for correlating diverse transaction data
WO2014008403A1 (en) 2012-07-03 2014-01-09 Visa International Service Association Data protection hub
US9846861B2 (en) 2012-07-25 2017-12-19 Visa International Service Association Upstream and downstream data conversion
US9256871B2 (en) 2012-07-26 2016-02-09 Visa U.S.A. Inc. Configurable payment tokens
US9665722B2 (en) 2012-08-10 2017-05-30 Visa International Service Association Privacy firewall
US10192216B2 (en) 2012-09-11 2019-01-29 Visa International Service Association Cloud-based virtual wallet NFC apparatuses, methods and systems
WO2014066559A1 (en) 2012-10-23 2014-05-01 Visa International Service Association Transaction initiation determination system utilizing transaction data elements
US8898769B2 (en) 2012-11-16 2014-11-25 At&T Intellectual Property I, Lp Methods for provisioning universal integrated circuit cards
US8959331B2 (en) 2012-11-19 2015-02-17 At&T Intellectual Property I, Lp Systems for provisioning universal integrated circuit cards
US9911118B2 (en) 2012-11-21 2018-03-06 Visa International Service Association Device pairing via trusted intermediary
US10304047B2 (en) 2012-12-07 2019-05-28 Visa International Service Association Token generating component
US9445262B2 (en) * 2012-12-10 2016-09-13 Lg Uplus Corp. Authentication server, mobile terminal and method for issuing radio frequency card key using authentication server and mobile terminal
US8972296B2 (en) 2012-12-31 2015-03-03 Ebay Inc. Dongle facilitated wireless consumer payments
US10740731B2 (en) 2013-01-02 2020-08-11 Visa International Service Association Third party settlement
US9741051B2 (en) 2013-01-02 2017-08-22 Visa International Service Association Tokenization and third-party interaction
GB2513125A (en) * 2013-04-15 2014-10-22 Visa Europe Ltd Method and system for transmitting credentials
US11055710B2 (en) 2013-05-02 2021-07-06 Visa International Service Association Systems and methods for verifying and processing transactions using virtual currency
KR102058175B1 (en) 2013-05-15 2019-12-20 비자 인터네셔널 서비스 어소시에이션 Mobile tokenization hub
KR102138315B1 (en) * 2013-05-30 2020-07-27 삼성전자주식회사 Method and Apparatus for Provisioning Profile
US20140365358A1 (en) * 2013-06-11 2014-12-11 Yuji Higaki Methods and systems for context-based check-out flows using a pass-through payment gateway
US10878422B2 (en) 2013-06-17 2020-12-29 Visa International Service Association System and method using merchant token
US20150006386A1 (en) * 2013-06-28 2015-01-01 Sap Ag Offline mobile payment process
GB201312236D0 (en) * 2013-07-08 2013-08-21 Mastercard International Inc Distribution of activation codes
WO2015005984A1 (en) * 2013-07-12 2015-01-15 Jvl Ventures, Llc Systems, methods, and computer program products for enabling instrument credentials
WO2015013522A1 (en) 2013-07-24 2015-01-29 Visa International Service Association Systems and methods for communicating risk using token assurance data
US10902421B2 (en) * 2013-07-26 2021-01-26 Visa International Service Association Provisioning payment credentials to a consumer
US10496986B2 (en) 2013-08-08 2019-12-03 Visa International Service Association Multi-network tokenization processing
AU2014306259A1 (en) 2013-08-08 2016-02-25 Visa International Service Association Methods and systems for provisioning mobile devices with payment credentials
US10223694B2 (en) 2013-09-10 2019-03-05 Visa International Service Association Mobile payment application provisioning and personalization on a mobile device
US9036820B2 (en) 2013-09-11 2015-05-19 At&T Intellectual Property I, Lp System and methods for UICC-based secure communication
US9124573B2 (en) 2013-10-04 2015-09-01 At&T Intellectual Property I, Lp Apparatus and method for managing use of secure tokens
US9978094B2 (en) 2013-10-11 2018-05-22 Visa International Service Association Tokenization revocation list
JP6386567B2 (en) 2013-10-11 2018-09-05 ビザ インターナショナル サービス アソシエーション Network token system
US10515358B2 (en) 2013-10-18 2019-12-24 Visa International Service Association Contextual transaction token methods and systems
US10489779B2 (en) 2013-10-21 2019-11-26 Visa International Service Association Multi-network token bin routing with defined verification parameters
US9208300B2 (en) 2013-10-23 2015-12-08 At&T Intellectual Property I, Lp Apparatus and method for secure authentication of a communication device
US9240994B2 (en) 2013-10-28 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for securely managing the accessibility to content and applications
US10366387B2 (en) 2013-10-29 2019-07-30 Visa International Service Association Digital wallet system and method
US8930274B1 (en) 2013-10-30 2015-01-06 Google Inc. Securing payment transactions with rotating application transaction counters
US9313660B2 (en) 2013-11-01 2016-04-12 At&T Intellectual Property I, Lp Apparatus and method for secure provisioning of a communication device
US9240989B2 (en) 2013-11-01 2016-01-19 At&T Intellectual Property I, Lp Apparatus and method for secure over the air programming of a communication device
WO2015071939A1 (en) 2013-11-15 2015-05-21 Tenten Technologies Limited Method, system and mobile device for providing user rewards
US9276910B2 (en) * 2013-11-19 2016-03-01 Wayne Fueling Systems Llc Systems and methods for convenient and secure mobile transactions
CN105934771B (en) * 2013-11-19 2020-05-05 维萨国际服务协会 Automatic account provisioning
US9413759B2 (en) 2013-11-27 2016-08-09 At&T Intellectual Property I, Lp Apparatus and method for secure delivery of data from a communication device
AU2014357381B2 (en) * 2013-12-02 2017-03-23 Mastercard International Incorporated Method and system for secure authentication of user and mobile device without secure elements
AU2014368949A1 (en) 2013-12-19 2016-06-09 Visa International Service Association Cloud-based transactions methods and systems
US9922322B2 (en) * 2013-12-19 2018-03-20 Visa International Service Association Cloud-based transactions with magnetic secure transmission
US10433128B2 (en) 2014-01-07 2019-10-01 Visa International Service Association Methods and systems for provisioning multiple devices
US9846878B2 (en) 2014-01-14 2017-12-19 Visa International Service Association Payment account identifier system
US9160724B2 (en) * 2014-01-27 2015-10-13 Canon Kabushiki Kaisha Devices, systems, and methods for device provisioning
US10026087B2 (en) 2014-04-08 2018-07-17 Visa International Service Association Data passed in an interaction
CN106462850A (en) * 2014-04-16 2017-02-22 维萨国际服务协会 Secure transmission of payment credentials
US9942043B2 (en) 2014-04-23 2018-04-10 Visa International Service Association Token security on a communication device
US11574300B1 (en) 2014-04-30 2023-02-07 Wells Fargo Bank, N.A. Mobile wallet systems and methods using trace identifier using card networks
US11610197B1 (en) 2014-04-30 2023-03-21 Wells Fargo Bank, N.A. Mobile wallet rewards redemption systems and methods
US11288660B1 (en) 2014-04-30 2022-03-29 Wells Fargo Bank, N.A. Mobile wallet account balance systems and methods
US11461766B1 (en) 2014-04-30 2022-10-04 Wells Fargo Bank, N.A. Mobile wallet using tokenized card systems and methods
US11615401B1 (en) 2014-04-30 2023-03-28 Wells Fargo Bank, N.A. Mobile wallet authentication systems and methods
US11748736B1 (en) * 2014-04-30 2023-09-05 Wells Fargo Bank, N.A. Mobile wallet integration within mobile banking
US9652770B1 (en) 2014-04-30 2017-05-16 Wells Fargo Bank, N.A. Mobile wallet using tokenized card systems and methods
US9713006B2 (en) 2014-05-01 2017-07-18 At&T Intellectual Property I, Lp Apparatus and method for managing security domains for a universal integrated circuit card
AU2015253182B2 (en) 2014-05-01 2019-02-14 Visa International Service Association Data verification using access device
AU2015256205B2 (en) 2014-05-05 2020-07-16 Visa International Service Association System and method for token domain control
AU2015264124B2 (en) 2014-05-21 2019-05-09 Visa International Service Association Offline authentication
US20150339662A1 (en) * 2014-05-23 2015-11-26 LoopPay Inc. Systems and methods for linking devices to user accounts
US11023890B2 (en) 2014-06-05 2021-06-01 Visa International Service Association Identification and verification for provisioning mobile application
CN104021469A (en) * 2014-06-13 2014-09-03 捷德(中国)信息科技有限公司 Method, equipment and system for carrying out payment transaction
US9780953B2 (en) 2014-07-23 2017-10-03 Visa International Service Association Systems and methods for secure detokenization
US10484345B2 (en) 2014-07-31 2019-11-19 Visa International Service Association System and method for identity verification across mobile applications
PT107820A (en) * 2014-08-01 2016-02-01 Sibs Sgps S A TRANSACTION PROCESSING SYSTEM AND METHOD
US9775029B2 (en) * 2014-08-22 2017-09-26 Visa International Service Association Embedding cloud-based functionalities in a communication device
US10140615B2 (en) 2014-09-22 2018-11-27 Visa International Service Association Secure mobile device credential provisioning using risk decision non-overrides
BR112017005824A2 (en) 2014-09-26 2017-12-12 Visa Int Service Ass method and mobile device.
US11257074B2 (en) 2014-09-29 2022-02-22 Visa International Service Association Transaction risk based token
US10015147B2 (en) 2014-10-22 2018-07-03 Visa International Service Association Token enrollment system and method
GB201419016D0 (en) 2014-10-24 2014-12-10 Visa Europe Ltd Transaction Messaging
GB2534116A (en) * 2014-11-03 2016-07-20 Trurating Ltd PIN entry device
US10325261B2 (en) 2014-11-25 2019-06-18 Visa International Service Association Systems communications with non-sensitive identifiers
CA2964791A1 (en) 2014-11-26 2016-06-02 Visa International Service Association Tokenization request via access device
EP3227845A4 (en) * 2014-12-04 2018-07-18 Mastercard International Incorporated Methods and apparatus for conducting secure magnetic stripe card transactions with a proximity payment device
US11620654B2 (en) 2014-12-04 2023-04-04 Mastercard International Incorporated Methods and apparatus for conducting secure magnetic stripe card transactions with a proximity payment device
US11580519B2 (en) 2014-12-12 2023-02-14 Visa International Service Association Provisioning platform for machine-to-machine devices
US10257185B2 (en) 2014-12-12 2019-04-09 Visa International Service Association Automated access data provisioning
US10187363B2 (en) 2014-12-31 2019-01-22 Visa International Service Association Hybrid integration of software development kit with secure execution environment
US10096009B2 (en) 2015-01-20 2018-10-09 Visa International Service Association Secure payment processing using authorization request
US11250391B2 (en) 2015-01-30 2022-02-15 Visa International Service Association Token check offline
WO2016126729A1 (en) 2015-02-03 2016-08-11 Visa International Service Association Validation identity tokens for transactions
US9619636B2 (en) * 2015-02-06 2017-04-11 Qualcomm Incorporated Apparatuses and methods for secure display on secondary display device
US10977657B2 (en) 2015-02-09 2021-04-13 Visa International Service Association Token processing utilizing multiple authorizations
BR112017017098A2 (en) * 2015-02-17 2018-04-03 Visa International Service Association cloud encryption key agent appliances, methods and systems
US10164996B2 (en) 2015-03-12 2018-12-25 Visa International Service Association Methods and systems for providing a low value token buffer
US10360558B2 (en) 2015-03-17 2019-07-23 Ca, Inc. Simplified two factor authentication for mobile payments
US10050942B2 (en) * 2015-03-17 2018-08-14 Ca, Inc. System and method of mobile authentication
US10089631B2 (en) 2015-03-18 2018-10-02 Ca, Inc. System and method of neutralizing mobile payment
US10387884B2 (en) 2015-03-18 2019-08-20 Ca, Inc. System for preventing mobile payment
CN107438992B (en) 2015-04-10 2020-12-01 维萨国际服务协会 Integration of browser and password
AU2016250092A1 (en) 2015-04-13 2017-08-24 Visa International Service Association Enhanced authentication based on secondary device interactions
US10540648B2 (en) * 2015-04-15 2020-01-21 Mastercard International Incorporated Use of mobile network operator data and/or scores in decision-making on requests for payment credential provisioning for mobile devices
US9998978B2 (en) 2015-04-16 2018-06-12 Visa International Service Association Systems and methods for processing dormant virtual access devices
US20160307186A1 (en) * 2015-04-20 2016-10-20 Mastercard International Incorporated Verification of contactless payment card for provisioning of payment credentials to mobile device
US10552834B2 (en) 2015-04-30 2020-02-04 Visa International Service Association Tokenization capable authentication framework
KR20160145962A (en) * 2015-06-11 2016-12-21 에스케이플래닛 주식회사 User equipment for reverse NFC payment, NFC payment terminal, system comprising the same, control method thereof and computer readable medium having computer program recorded therefor
US10009324B2 (en) * 2015-06-29 2018-06-26 American Express Travel Related Services Company, Inc. Host card emulation systems and methods
CA2930705C (en) * 2015-08-27 2019-06-11 Samsung Pay, Inc. Mobile checkout systems and methods
US10546291B2 (en) 2015-09-09 2020-01-28 Samsung Electronics Co., Ltd. Method and apparatus for performing payment
WO2017066792A1 (en) 2015-10-15 2017-04-20 Visa International Service Association Instant token issuance system
GB2557108A (en) 2015-11-17 2018-06-13 Gelliner Ltd Payment confirmation system and method
CN105488679B (en) * 2015-11-23 2019-12-03 北京小米支付技术有限公司 Mobile payment device, method and apparatus based on biological identification technology
EP3384630B1 (en) 2015-12-04 2021-08-18 Visa International Service Association Unique code for token verification
US11238441B1 (en) 2015-12-28 2022-02-01 Wells Fargo Bank, N.A. Systems and methods for customizing authentication credentials for a payment card
CA3009659C (en) 2016-01-07 2022-12-13 Visa International Service Association Systems and methods for device push provisioning
BR112018014982A8 (en) * 2016-01-25 2023-04-11 Apple Inc CONDUCTING TRANSACTIONS USING ELECTRONIC DEVICES WITH NON-NATIVE CREDENTIALS
WO2017136418A1 (en) 2016-02-01 2017-08-10 Visa International Service Association Systems and methods for code display and use
US10496982B2 (en) * 2016-02-03 2019-12-03 Accenture Global Solutions Limited Secure contactless card emulation
US11501288B2 (en) 2016-02-09 2022-11-15 Visa International Service Association Resource provider account token provisioning and processing
US10313321B2 (en) 2016-04-07 2019-06-04 Visa International Service Association Tokenization of co-network accounts
WO2017184121A1 (en) 2016-04-19 2017-10-26 Visa International Service Association Systems and methods for performing push transactions
WO2017184840A1 (en) 2016-04-21 2017-10-26 Mastercard International Incorporated Method and system for contactless transactions without user credentials
ES2797111T3 (en) * 2016-05-18 2020-12-01 Amadeus Sas Secure exchange of sensitive data via a token and barcode-based network
FR3051613B1 (en) * 2016-05-18 2019-12-13 Amadeus S.A.S. SECURE EXCHANGE OF SENSITIVE DATA ON A NETWORK BASED ON BARCODES AND TOKENS
US11250424B2 (en) 2016-05-19 2022-02-15 Visa International Service Association Systems and methods for creating subtokens using primary tokens
AU2016409079B2 (en) 2016-06-03 2021-07-22 Visa International Service Association Subtoken management system for connected devices
US11068899B2 (en) 2016-06-17 2021-07-20 Visa International Service Association Token aggregation for multi-party transactions
US10361856B2 (en) 2016-06-24 2019-07-23 Visa International Service Association Unique token authentication cryptogram
GB2551775A (en) 2016-06-30 2018-01-03 Ipco 2012 Ltd Communications device, point of sale device, payment device and methods
CN116471105A (en) 2016-07-11 2023-07-21 维萨国际服务协会 Encryption key exchange procedure using access means
CN111615105B (en) * 2016-07-18 2023-08-04 创新先进技术有限公司 Information providing and acquiring method, device and terminal
CN116739570A (en) 2016-07-19 2023-09-12 维萨国际服务协会 Method for distributing tokens and managing token relationships
US9685967B1 (en) * 2016-09-08 2017-06-20 Infineon Technologies Ag Chopper stabilized sigma delta ADC
US10509779B2 (en) 2016-09-14 2019-12-17 Visa International Service Association Self-cleaning token vault
US11468414B1 (en) 2016-10-03 2022-10-11 Wells Fargo Bank, N.A. Systems and methods for establishing a pull payment relationship
CN117009946A (en) 2016-11-28 2023-11-07 维萨国际服务协会 Access identifier supplied to application program
EP3340147A1 (en) * 2016-12-22 2018-06-27 Mastercard International Incorporated Method for providing key identifier in transaction data
US11423395B1 (en) * 2016-12-29 2022-08-23 Wells Fargo Bank, N.A. Pay with points virtual card
US11315137B1 (en) 2016-12-29 2022-04-26 Wells Fargo Bank, N.A. Pay with points virtual card
FR3062501B1 (en) * 2017-02-02 2019-03-15 Idemia France METHOD FOR SECURING ELECTRONIC OPERATION
US10915899B2 (en) 2017-03-17 2021-02-09 Visa International Service Association Replacing token on a multi-token user device
US10902418B2 (en) 2017-05-02 2021-01-26 Visa International Service Association System and method using interaction token
US11494765B2 (en) 2017-05-11 2022-11-08 Visa International Service Association Secure remote transaction system using mobile devices
US10491389B2 (en) 2017-07-14 2019-11-26 Visa International Service Association Token provisioning utilizing a secure authentication system
US11227284B2 (en) * 2017-12-13 2022-01-18 Mastercard International Incorporated Method and system for consumer-initiated transactions using encrypted tokens
US11171775B2 (en) * 2017-12-14 2021-11-09 Mastercard International Incorporated Method and system for device level authentication in electronic transactions
US11356257B2 (en) 2018-03-07 2022-06-07 Visa International Service Association Secure remote token release with online authentication
US11386412B1 (en) 2018-04-12 2022-07-12 Wells Fargo Bank, N.A. Authentication circle management
US11481837B1 (en) 2018-04-12 2022-10-25 Wells Fargo Bank, N.A. Authentication circle management
US10943308B1 (en) 2018-05-03 2021-03-09 Wells Fargo Bank, N.A. Systems and methods for pervasive advisor for major expenditures
US11775955B1 (en) 2018-05-10 2023-10-03 Wells Fargo Bank, N.A. Systems and methods for making person-to-person payments via mobile client application
US11256789B2 (en) 2018-06-18 2022-02-22 Visa International Service Association Recurring token transactions
SG11202101587SA (en) 2018-08-22 2021-03-30 Visa Int Service Ass Method and system for token provisioning and processing
US10949520B2 (en) * 2018-10-02 2021-03-16 Capital One Services, Llc Systems and methods for cross coupling risk analytics and one-time-passcodes
EP3881258A4 (en) 2018-11-14 2022-01-12 Visa International Service Association Cloud token provisioning of multiple tokens
EP3654264A1 (en) * 2018-11-14 2020-05-20 Mastercard International Incorporated Credential management for mobile devices
US20220060889A1 (en) * 2018-12-12 2022-02-24 Visa International Service Association Provisioning initiated from a contactless device
US11151603B2 (en) * 2018-12-31 2021-10-19 Microsoft Technology Licensing, Llc Optimizing content item delivery for installations of a mobile application
WO2020191462A1 (en) * 2019-03-27 2020-10-01 Xard Group Pty Ltd Disabling payment scheme on a digital transaction processing unit (dtpu)
CN113518990A (en) 2019-05-17 2021-10-19 维萨国际服务协会 Virtual access credential interaction system and method
CN110245928B (en) * 2019-05-29 2021-01-29 创新先进技术有限公司 Method, system and equipment for acquiring signing key element information of bank card
US11551190B1 (en) 2019-06-03 2023-01-10 Wells Fargo Bank, N.A. Instant network cash transfer at point of sale
US11392933B2 (en) * 2019-07-03 2022-07-19 Capital One Services, Llc Systems and methods for providing online and hybridcard interactions
US11694187B2 (en) 2019-07-03 2023-07-04 Capital One Services, Llc Constraining transactional capabilities for contactless cards
US11868981B2 (en) * 2019-08-02 2024-01-09 Mastercard International Incorporated System and method to support payment acceptance capability for merchants
US11455620B2 (en) * 2019-12-31 2022-09-27 Capital One Services, Llc Tapping a contactless card to a computing device to provision a virtual number
EP3897017B1 (en) * 2020-04-17 2023-11-01 Secure Thingz Limited A provisioning control apparatus, system and method
WO2024025533A1 (en) * 2022-07-28 2024-02-01 Rakuten Mobile, Inc. Dynamic payment authorization system and method
WO2024077127A1 (en) * 2022-10-06 2024-04-11 A. Visa International Service Association Messaging flow for remote interactions using secure data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040285A1 (en) 2004-08-18 2008-02-14 John Wankmueller Method And System For Authorizing A Transaction Using A Dynamic Authorization Code
US20080051122A1 (en) * 2005-12-31 2008-02-28 Mobile Candy Dish, Inc. Method and system for transmitting data between a server and a mobile communication device using short message service (sms)

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6226744B1 (en) * 1997-10-09 2001-05-01 At&T Corp Method and apparatus for authenticating users on a network using a smart card
US20020152180A1 (en) * 1999-09-10 2002-10-17 Paul Turgeon System and method for performing secure remote real-time financial transactions over a public communications infrastructure with strong authentication
US20020153424A1 (en) * 2001-04-19 2002-10-24 Chuan Li Method and apparatus of secure credit card transaction
US7059517B2 (en) * 2003-12-31 2006-06-13 Hewlett-Packard Development Company, L.P. On-line PIN verification using polynomials
FR2901650B1 (en) * 2006-05-23 2008-08-08 Radiotelephone Sfr METHOD OF OPTIMIZING THE CAPACITY OF A MOBILE TELEPHONY NETWORK FOR CREATING SERVICES OF WHICH THE FLOW IS MAJORALLY DESCENDING (DOWNLINK)
US8359630B2 (en) * 2007-08-20 2013-01-22 Visa U.S.A. Inc. Method and system for implementing a dynamic verification value
CA2746760A1 (en) * 2009-01-13 2010-07-22 Michael Horie Secure protocol for transactions
US10037524B2 (en) * 2009-01-22 2018-07-31 First Data Corporation Dynamic primary account number (PAN) and unique key per card
US8378172B2 (en) 2009-06-30 2013-02-19 The University Of Hong Kong Methods using acyl-CoA binding proteins to enhance low-temperature tolerance in genetically modified plants
US8825548B2 (en) * 2009-06-30 2014-09-02 Ebay Inc. Secure authentication between multiple parties
US8804793B2 (en) * 2010-07-16 2014-08-12 Aquantia Corporation Method and apparatus for fast link recovery
WO2012037479A1 (en) * 2010-09-17 2012-03-22 Universal Secure Registry, Llc Apparatus, system and method employing a wireless user-device
US8746553B2 (en) * 2010-09-27 2014-06-10 Mastercard International Incorporated Purchase Payment device updates using an authentication process
US8543828B2 (en) * 2010-12-06 2013-09-24 AT&T Intellectual Property I , L.P. Authenticating a user with hash-based PIN generation
GB2506591A (en) 2012-09-28 2014-04-09 Bell Identification Bv Method of providing secure services using a mobile device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040285A1 (en) 2004-08-18 2008-02-14 John Wankmueller Method And System For Authorizing A Transaction Using A Dynamic Authorization Code
US20080051122A1 (en) * 2005-12-31 2008-02-28 Mobile Candy Dish, Inc. Method and system for transmitting data between a server and a mobile communication device using short message service (sms)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
STIG FRODE MJOLSNES ET AL.: "Localized Credentials for Server Assisted Mobile Wallet", 2001 IEEE, 2001, pages 203 - 204, XP010565895 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11481754B2 (en) 2012-07-13 2022-10-25 Scvngr, Inc. Secure payment method and system
GB2512944A (en) * 2013-04-12 2014-10-15 Mastercard International Inc Systems and methods for outputting information on a display of a mobile device
US9530289B2 (en) 2013-07-11 2016-12-27 Scvngr, Inc. Payment processing with automatic no-touch mode selection
US11605070B2 (en) 2013-07-29 2023-03-14 The Toronto-Dominion Bank Cloud-based electronic payment processing
US11361313B2 (en) 2013-12-02 2022-06-14 Mastercard International Incorporated Method and system for generating an advanced storage key in a mobile device without secure elements
US9864994B2 (en) * 2014-02-21 2018-01-09 Samsung Pay, Inc. Terminal for magnetic secure transmission
US20160125417A1 (en) * 2014-02-21 2016-05-05 Samsung Pay, Inc. Terminal for magnetic secure transmission
EP3324322A1 (en) * 2014-03-03 2018-05-23 Mastercard International Incorporated Secure mobile device transactions
WO2015132244A1 (en) * 2014-03-03 2015-09-11 Mastercard International Incorporated Secure mobile device transactions
JP2017513248A (en) * 2014-04-14 2017-05-25 マスターカード インターナショナル インコーポレーテッド Method and system for generating an advanced storage key without a secure element in a mobile device
JP2020074566A (en) * 2014-04-14 2020-05-14 マスターカード インターナショナル インコーポレーテッド Method and system for producing advanced memory key without secure element in mobile device
US20170039552A1 (en) * 2014-04-30 2017-02-09 Visa International Service Association Systems, methods and devices for providing a single-use payment credential
WO2015166421A1 (en) * 2014-04-30 2015-11-05 Visa International Service Association Systems, methods and devices for providing a single-use payment credential
US10362010B2 (en) * 2014-05-29 2019-07-23 Apple Inc. Management of credentials on an electronic device using an online resource
US11488136B2 (en) 2014-05-29 2022-11-01 Apple Inc. Management of credentials on an electronic device using an online resource
US11842340B2 (en) 2014-10-21 2023-12-12 Mastercard International Incorporated Method and system for generating cryptograms for validation in a webservice environment
EP3326132A4 (en) * 2015-07-17 2019-01-16 Mastercard International Incorporated Authentication system and method for server-based payments
US11120436B2 (en) 2015-07-17 2021-09-14 Mastercard International Incorporated Authentication system and method for server-based payments
GB2544109A (en) * 2015-11-06 2017-05-10 Visa Europe Ltd Transaction authorisation
US11645653B2 (en) 2015-11-06 2023-05-09 Visa Europe Limited Transaction authorization
US10922598B2 (en) 2016-03-02 2021-02-16 Zwipe As Fingerprint authorisable device
EP3446436B1 (en) * 2016-04-18 2021-01-13 Orange Method for obtaining a security token by a mobile terminal
US11176547B2 (en) 2017-02-21 2021-11-16 Mastercard International Incorporated Transaction cryptogram
WO2018156333A1 (en) * 2017-02-21 2018-08-30 Mastercard International Incorporated Transaction cryptogram
EP3364363A1 (en) * 2017-02-21 2018-08-22 Mastercard International Incorporated Transaction cryptogram

Also Published As

Publication number Publication date
EP2835004A1 (en) 2015-02-11
ES2761345T3 (en) 2020-05-19
US20130262317A1 (en) 2013-10-03
AU2017216488A1 (en) 2017-08-31
EP2835004A4 (en) 2015-12-02
HK1206900A1 (en) 2016-01-15
EP3614712A1 (en) 2020-02-26
US10515359B2 (en) 2019-12-24
AU2013243805B2 (en) 2017-05-18
US20240029062A1 (en) 2024-01-25
EP2835004B1 (en) 2019-11-06
AU2017216488B2 (en) 2019-03-21
AU2013243805A1 (en) 2014-09-25
US11829999B2 (en) 2023-11-28
US20200082395A1 (en) 2020-03-12

Similar Documents

Publication Publication Date Title
US11829999B2 (en) Systems and methods for processing mobile payments by provisoning credentials to mobile devices without secure elements
US20220245630A1 (en) Method and system for secure authentication of user and mobile device without secure elements
US20140310182A1 (en) Systems and methods for outputting information on a display of a mobile device
EP2820602B1 (en) Systems and methods for mapping a mobile cloud account to a payment account
KR102025816B1 (en) Method and system for secure authentication of user and mobile device without secure elements
AU2014391256B2 (en) Method and system for generating an advanced storage key in a mobile device without secure elements
US20150066651A1 (en) Method and System for Secure Mobile Payment Processing and Data Analytics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13772978

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2013243805

Country of ref document: AU

Date of ref document: 20130321

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2013772978

Country of ref document: EP